From bac7811d2b35252b7a83a45d75bb344b4b1776a9 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sat, 16 May 2020 02:52:55 +0200
Subject: Upgrade baseline to Debian 10.

---
 roles/common/templates/etc/nftables.conf.j2 | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'roles/common/templates/etc/nftables.conf.j2')

diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2
index 1e1fde2..3d2a23d 100755
--- a/roles/common/templates/etc/nftables.conf.j2
+++ b/roles/common/templates/etc/nftables.conf.j2
@@ -86,7 +86,8 @@ table inet filter {
         udp sport 53 ct state related,established accept
         tcp sport 53 ct state related,established accept
 {% if 'dhclient' in group_names %}
-        udp sport 67 ct state related,established accept
+        ip  version 4 udp sport  67 udp dport  68 ct state related,established accept
+        ip6 version 6 udp sport 547 udp dport 546 ct state related,established accept
 {% endif %}
 
         meta l4proto tcp ip  saddr @fail2ban  counter drop
@@ -115,13 +116,18 @@ table inet filter {
         jump invalid
 
         udp sport  123 udp dport  123 ct state new,related,established accept
+{% if groups.all | length > 1 %}
         udp sport  500 udp dport  500 ct state new,related,established accept
+{% if groups.NATed | length > 0 %}
         udp sport 4500 udp dport 4500 ct state new,related,established accept
+{% endif %}
+{% endif %}
 
         udp dport 53 ct state new,related,established accept
         tcp dport 53 ct state new,related,established accept
 {% if 'dhclient' in group_names %}
-        udp dport 67 ct state new,related,established accept
+        ip  version 4 udp sport  68 udp dport  67 ct state new,related,established accept
+        ip6 version 6 udp sport 546 udp dport 547 ct state new,related,established accept
 {% endif %}
 
         tcp sport $in-tcp-ports  ct state related,established accept
-- 
cgit v1.2.3