nixos: Improve inner firewalls

2022-06-12 17:33:33 +01:00
parent c0ca7888aa
commit f38c5872a4
2 changed files with 18 additions and 2 deletions
--- a/nixos/boxes/colony/default.nix
+++ b/nixos/boxes/colony/default.nix
@@ -155,7 +155,15 @@
          server.enable = true;

          firewall = {
-            trustedInterfaces = [ "base" "vms" ];
+            trustedInterfaces = [ "vms" ];
+            extraRules = ''
+              table inet filter {
+                chain forward {
+                  # Trust that the outer firewall has done the filtering!
+                  iifname base oifname vms accept
+                }
+              }
+            '';
          };
        };
      };
--- a/nixos/boxes/colony/vms/shill/default.nix
+++ b/nixos/boxes/colony/vms/shill/default.nix
@@ -117,7 +117,15 @@

              firewall = {
                tcp.allowed = [ 19999 ];
-                trustedInterfaces = [ "vms" "ctrs" ];
+                trustedInterfaces = [ "ctrs" ];
+                extraRules = ''
+                  table inet filter {
+                    chain forward {
+                      # Trust that the outer firewall has done the filtering!
+                      iifname vms oifname ctrs accept
+                    }
+                  }
+                '';
              };

              containers.instances =