Don't blindly trust as211024

2023-12-20 22:59:51 +00:00 · 2023-12-20 22:59:51 +00:00 · 1e66a99352
commit 1e66a99352
parent 0fe863844f
4 changed files with 32 additions and 5 deletions
--- a/lib/constants.nix
+++ b/lib/constants.nix
@ -281,6 +281,25 @@ rec {
    };
  };

+  as211024 = rec {
+    trusted = {
+      v4 = [
+        colony.prefixes.all.v4
+        home.prefixes.all.v4
+        tailscale.prefix.v4
+      ];
+      v6 = [
+        colony.prefixes.all.v6
+        home.prefixes.all.v6
+        tailscale.prefix.v6
+      ];
+    };
+    nftTrust = ''
+      iifname as211024 ip saddr { ${concatStringsSep ", " trusted.v4} } accept
+      iifname as211024 ip6 saddr { ${concatStringsSep ", " trusted.v6} } accept
+    '';
+  };
+
  kelder = {
    groups = {
      storage = 2000;
--- a/nixos/boxes/britway/default.nix
+++ b/nixos/boxes/britway/default.nix
@ -150,8 +150,14 @@ in
              };

              firewall = {
-                trustedInterfaces = [ "as211024" "tailscale0" ];
+                trustedInterfaces = [ "tailscale0" ];
                extraRules = ''
+                  table inet filter {
+                    chain forward {
+                      ${lib.my.as211024.nftTrust}
+                      oifname as211024 accept
+                    }
+                  }
                  table inet nat {
                    chain postrouting {
                      iifname tailscale0 oifname veth0 snat ip to ${assignments.vultr.ipv4.address}
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@ -366,7 +366,6 @@ in
                };
              };
              firewall = {
-                trustedInterfaces = [ "as211024" ];
                udp.allowed = [ 5353 lib.my.c.kelder.vpn.port ];
                tcp.allowed = [ 5353 "bgp" ];
                nat = {
@ -416,7 +415,8 @@ in
                    }

                    chain forward {
-                      iifname { wan, $ixps } oifname base jump filter-routing
+                      ${lib.my.c.as211024.nftTrust}
+                      iifname { wan, as211024, $ixps } oifname base jump filter-routing
                      oifname $ixps jump ixp
                      iifname base oifname { base, wan, $ixps } accept
                      oifname { as211024, kelder } accept
--- a/nixos/boxes/home/routing-common/default.nix
+++ b/nixos/boxes/home/routing-common/default.nix
@ -311,7 +311,7 @@ in
              };
            };
            firewall = {
-              trustedInterfaces = [ "lan-hi" "lan-lo" "as211024" ];
+              trustedInterfaces = [ "lan-hi" "lan-lo" ];
              udp.allowed = [ 5353 ];
              tcp.allowed = [ 5353 ];
              nat = {
@ -358,8 +358,10 @@ in
                  }

                  chain forward {
+                    ${lib.my.c.as211024.nftTrust}
                    iifname lan-untrusted jump filter-untrusted
-                    iifname { wan, lan-untrusted } oifname { lan-hi, lan-lo } jump filter-routing
+                    iifname { wan, as211024, lan-untrusted } oifname { lan-hi, lan-lo } jump filter-routing
+                    oifname as211024 accept
                  }
                  chain output { }
                }