hosts/{athame,samhain}: nftables per interface config

2026-02-09 12:29:19 -08:00 · 2021-04-26 18:12:38 +01:00 · 2021-04-26 18:12:38 +01:00 · e2a2fcbb13
commit e2a2fcbb13
parent 0a42b7d663
2 changed files with 52 additions and 12 deletions
--- a/hosts/athame/nixos/default.nix
+++ b/hosts/athame/nixos/default.nix
@ -54,17 +54,39 @@
    interface = "enp1s0";
  };

-  networking.firewall.allowedTCPPorts =
-    [ 22 80 443 5160 5060 8999 64738 1935 53589 5001 62969 ];
-  networking.firewall.allowedUDPPorts = [ 5160 5060 64738 ];
-  networking.firewall.allowedTCPPortRanges = [{
+  networking.firewall.interfaces.hexnet.allowedTCPPorts = [
+    80 # http
+    443 # https
+  ];
+
+  networking.firewall.interfaces.enp1s0.allowedTCPPorts = [
+    80 # http
+    443 # https
+    5160 # asterisk
+    5060 # asterisk
+    8999 # syncplay
+    64738 # murmur
+    1935 # rtmp
+    53589 # taskwarrior
+    5001 # znc
+    62969 # yggdrasil
+  ];
+
+  networking.firewall.interfaces.enp1s0.allowedUDPPorts = [
+    5160 # asterisk
+    5060 # asterisk
+    64738 # murmur
+  ];
+
+  networking.firewall.interfaces.enp1s0.allowedTCPPortRanges = [{
    from = 10000;
    to = 20000;
-  }];
-  networking.firewall.allowedUDPPortRanges = [{
+  }]; # asterisk
+
+  networking.firewall.interfaces.enp1s0.allowedUDPPortRanges = [{
    from = 10000;
    to = 20000;
-  }];
+  }]; # asterisk

  deploy.tf.dns.records.kittywitch_net_athame = {
    tld = "kittywit.ch.";
--- a/hosts/samhain/nixos/default.nix
+++ b/hosts/samhain/nixos/default.nix
@ -104,14 +104,32 @@ in {
  networking.useDHCP = false;
  networking.interfaces.enp34s0.useDHCP = true;
  networking.firewall.allowPing = true;
-  networking.firewall.allowedTCPPorts =
-    [ 1935 80 443 445 139 9091 5000 32101 ]; # smb transmission mkchromecast
-  networking.firewall.allowedUDPPorts = [ 137 138 4010 ]; # smb scream
+
+  networking.firewall.interfaces.enp1s0.allowedTCPPorts = [
+    1935 # rtmp
+    80 # http
+    443 # https
+    445 # samba
+    139 # samba
+  ];
+
+  networking.firewall.interfaces.hexnet.allowedTCPPorts = [
+    80 # http
+    443 # https
+    32101 # mpv
+  ];
+
+  networking.firewall.interfaces.enp1s0.allowedUDPPorts = [
+    137 # samba
+    138 # samba
+    4010 # scream
+  ];
+
  networking.firewall.allowedUDPPortRanges = [{
    from = 32768;
    to = 60999;
-  } # dnla
-    ];
+  }]; # dnla
+
  services.avahi.enable = true;

  hexchen.network = {