diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2020-05-16 02:52:55 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2020-05-16 05:45:59 +0200 |
commit | bac7811d2b35252b7a83a45d75bb344b4b1776a9 (patch) | |
tree | 02176a15d570cab6dbd55b52b6df5c7b7b0538b1 /roles/common/templates/etc/nftables.conf.j2 | |
parent | c4f24043baeccc95556fb9c3c032505ecadb5fbd (diff) |
Upgrade baseline to Debian 10.
Diffstat (limited to 'roles/common/templates/etc/nftables.conf.j2')
-rwxr-xr-x | roles/common/templates/etc/nftables.conf.j2 | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2 index 1e1fde2..3d2a23d 100755 --- a/roles/common/templates/etc/nftables.conf.j2 +++ b/roles/common/templates/etc/nftables.conf.j2 @@ -86,7 +86,8 @@ table inet filter { udp sport 53 ct state related,established accept tcp sport 53 ct state related,established accept {% if 'dhclient' in group_names %} - udp sport 67 ct state related,established accept + ip version 4 udp sport 67 udp dport 68 ct state related,established accept + ip6 version 6 udp sport 547 udp dport 546 ct state related,established accept {% endif %} meta l4proto tcp ip saddr @fail2ban counter drop @@ -115,13 +116,18 @@ table inet filter { jump invalid udp sport 123 udp dport 123 ct state new,related,established accept +{% if groups.all | length > 1 %} udp sport 500 udp dport 500 ct state new,related,established accept +{% if groups.NATed | length > 0 %} udp sport 4500 udp dport 4500 ct state new,related,established accept +{% endif %} +{% endif %} udp dport 53 ct state new,related,established accept tcp dport 53 ct state new,related,established accept {% if 'dhclient' in group_names %} - udp dport 67 ct state new,related,established accept + ip version 4 udp sport 68 udp dport 67 ct state new,related,established accept + ip6 version 6 udp sport 546 udp dport 547 ct state new,related,established accept {% endif %} tcp sport $in-tcp-ports ct state related,established accept |