nftables: use networking.firewall.allowed{TCP,UDP}Port{s,Ranges}
This is a no-op as far as actual config is concerned, but allows using the usual networking options again, which before this commit were just old unused code lying around. There are still many other networking options which we set that currently do nothing (e.g. the network bridge to lxc).
This commit is contained in:
parent
283aba0c2c
commit
f389de9c55
1 changed files with 10 additions and 2 deletions
|
@ -1,5 +1,13 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.networking.firewall;
|
||||||
|
mkPorts = ports: ranges:
|
||||||
|
lib.strings.concatStringsSep ", "
|
||||||
|
(map ({from, to}: "${toString from}-${toString to}") ranges
|
||||||
|
++
|
||||||
|
map toString ports);
|
||||||
|
in
|
||||||
{
|
{
|
||||||
networking.firewall.enable = false;
|
networking.firewall.enable = false;
|
||||||
networking.nat.enable = false;
|
networking.nat.enable = false;
|
||||||
|
@ -39,9 +47,9 @@
|
||||||
|
|
||||||
iifname { lo } accept
|
iifname { lo } accept
|
||||||
|
|
||||||
tcp dport { 25, 80, 443, 465, 587, 993, 4190, 62954, 64738 } accept
|
tcp dport { ${mkPorts cfg.allowedTCPPorts cfg.allowedTCPPortRanges} } accept
|
||||||
|
|
||||||
udp dport { 60000-61000, 64738 } accept
|
udp dport { ${mkPorts cfg.allowedUDPPorts cfg.allowedUDPPortRanges} } accept
|
||||||
|
|
||||||
# DHCPv6
|
# DHCPv6
|
||||||
ip6 daddr fe80::/64 udp dport 546 accept
|
ip6 daddr fe80::/64 udp dport 546 accept
|
||||||
|
|
Loading…
Reference in a new issue