Put in earplugs
This commit is contained in:
parent
26bafa406a
commit
7840392f0d
2 changed files with 39 additions and 13 deletions
|
@ -229,12 +229,21 @@ use dovecot for local IMAP
|
||||||
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
|
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
|
||||||
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
|
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
|
||||||
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
|
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
|
||||||
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
|
#+end_src
|
||||||
-A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
SMB
|
||||||
|
#+BEGIN_SRC scheme
|
||||||
-A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 137 -j ACCEPT
|
-A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 137 -j ACCEPT
|
||||||
-A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 138 -j ACCEPT
|
-A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 138 -j ACCEPT
|
||||||
-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 139 -j ACCEPT
|
-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 139 -j ACCEPT
|
||||||
-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 445 -j ACCEPT
|
-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 445 -j ACCEPT
|
||||||
|
#+end_src
|
||||||
|
wireguard
|
||||||
|
#+BEGIN_SRC scheme
|
||||||
|
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
|
||||||
|
-A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
#+end_src
|
||||||
|
|
||||||
|
#+BEGIN_SRC scheme
|
||||||
-A INPUT -j REJECT --reject-with icmp-port-unreachable
|
-A INPUT -j REJECT --reject-with icmp-port-unreachable
|
||||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||||
COMMIT
|
COMMIT
|
||||||
|
@ -247,12 +256,21 @@ COMMIT
|
||||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||||
-A INPUT -p tcp --dport 993 -j ACCEPT
|
-A INPUT -p tcp --dport 993 -j ACCEPT
|
||||||
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
|
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
|
||||||
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
|
#+end_src
|
||||||
-A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
SMB
|
||||||
|
#+BEGIN_SRC scheme
|
||||||
-A INPUT -p udp -m udp -s fd24:609a:6c18::/64 --dport 137 -j ACCEPT
|
-A INPUT -p udp -m udp -s fd24:609a:6c18::/64 --dport 137 -j ACCEPT
|
||||||
-A INPUT -p udp -m udp -s fd24:609a:6c18::/64 --dport 138 -j ACCEPT
|
-A INPUT -p udp -m udp -s fd24:609a:6c18::/64 --dport 138 -j ACCEPT
|
||||||
-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 139 -j ACCEPT
|
-A INPUT -m state --state NEW -m tcp -p tcp -s fd24:609a:6c18::/64 --dport 139 -j ACCEPT
|
||||||
-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 445 -j ACCEPT
|
-A INPUT -m state --state NEW -m tcp -p tcp -s fd24:609a:6c18::/64 --dport 445 -j ACCEPT
|
||||||
|
#+end_src
|
||||||
|
wireguard
|
||||||
|
#+BEGIN_SRC scheme
|
||||||
|
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
|
||||||
|
-A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
#+end_src
|
||||||
|
|
||||||
|
#+BEGIN_SRC scheme
|
||||||
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
|
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
|
||||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||||
COMMIT
|
COMMIT
|
||||||
|
@ -267,6 +285,7 @@ details can be found (and mostly ignored) in [[https://guix.gnu.org/cookbook/en
|
||||||
(service wireguard-service-type
|
(service wireguard-service-type
|
||||||
(wireguard-configuration
|
(wireguard-configuration
|
||||||
(addresses '("10.0.0.23" "fd24:609a:6c18::23"))
|
(addresses '("10.0.0.23" "fd24:609a:6c18::23"))
|
||||||
|
(private-key "/etc/wireguard/private.key")
|
||||||
(port 51820)
|
(port 51820)
|
||||||
(peers
|
(peers
|
||||||
(list
|
(list
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
;; -*- mode: scheme; coding: utf-8; -*-
|
;; -*- mode: scheme; coding: utf-8; -*-
|
||||||
;;
|
;;
|
||||||
;; tangled from framework13-system.org on 2024-01-23 20:36:10+01:00)
|
;; tangled from framework13-system.org on 2024-01-24 15:26:24+01:00)
|
||||||
|
|
||||||
(use-modules (gnu)
|
(use-modules (gnu)
|
||||||
(gnu packages)
|
(gnu packages)
|
||||||
|
@ -133,12 +133,15 @@
|
||||||
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
|
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
|
||||||
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
|
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
|
||||||
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
|
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
|
||||||
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
|
|
||||||
-A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
||||||
-A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 137 -j ACCEPT
|
-A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 137 -j ACCEPT
|
||||||
-A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 138 -j ACCEPT
|
-A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 138 -j ACCEPT
|
||||||
-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 139 -j ACCEPT
|
-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 139 -j ACCEPT
|
||||||
-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 445 -j ACCEPT
|
-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 445 -j ACCEPT
|
||||||
|
|
||||||
|
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
|
||||||
|
-A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
|
||||||
-A INPUT -j REJECT --reject-with icmp-port-unreachable
|
-A INPUT -j REJECT --reject-with icmp-port-unreachable
|
||||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||||
COMMIT
|
COMMIT
|
||||||
|
@ -151,12 +154,15 @@ COMMIT
|
||||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||||
-A INPUT -p tcp --dport 993 -j ACCEPT
|
-A INPUT -p tcp --dport 993 -j ACCEPT
|
||||||
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
|
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
|
||||||
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
|
|
||||||
-A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
||||||
-A INPUT -p udp -m udp -s fd24:609a:6c18::/64 --dport 137 -j ACCEPT
|
-A INPUT -p udp -m udp -s fd24:609a:6c18::/64 --dport 137 -j ACCEPT
|
||||||
-A INPUT -p udp -m udp -s fd24:609a:6c18::/64 --dport 138 -j ACCEPT
|
-A INPUT -p udp -m udp -s fd24:609a:6c18::/64 --dport 138 -j ACCEPT
|
||||||
-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 139 -j ACCEPT
|
-A INPUT -m state --state NEW -m tcp -p tcp -s fd24:609a:6c18::/64 --dport 139 -j ACCEPT
|
||||||
-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 445 -j ACCEPT
|
-A INPUT -m state --state NEW -m tcp -p tcp -s fd24:609a:6c18::/64 --dport 445 -j ACCEPT
|
||||||
|
|
||||||
|
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
|
||||||
|
-A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
|
||||||
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
|
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
|
||||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||||
COMMIT
|
COMMIT
|
||||||
|
@ -165,6 +171,7 @@ COMMIT
|
||||||
(service wireguard-service-type
|
(service wireguard-service-type
|
||||||
(wireguard-configuration
|
(wireguard-configuration
|
||||||
(addresses '("10.0.0.23" "fd24:609a:6c18::23"))
|
(addresses '("10.0.0.23" "fd24:609a:6c18::23"))
|
||||||
|
(private-key "/etc/wireguard/private.key")
|
||||||
(port 51820)
|
(port 51820)
|
||||||
(peers
|
(peers
|
||||||
(list
|
(list
|
||||||
|
|
Loading…
Reference in a new issue