nixos: Improve inner firewalls

2022-06-12 17:33:33 +01:00
parent c0ca7888aa
commit f38c5872a4
2 changed files with 18 additions and 2 deletions
--- a/nixos/boxes/colony/default.nix
+++ b/nixos/boxes/colony/default.nix
@@ -155,7 +155,15 @@
          server.enable = true;
          firewall = {
-            trustedInterfaces = [ "base" "vms" ];
+            trustedInterfaces = [ "vms" ];
            extraRules = ''
              table inet filter {
                chain forward {
                  # Trust that the outer firewall has done the filtering!
                  iifname base oifname vms accept
                }
              }
            '';
          };
        };
      };
--- a/nixos/boxes/colony/vms/shill/default.nix
+++ b/nixos/boxes/colony/vms/shill/default.nix
@@ -117,7 +117,15 @@
              firewall = {
                tcp.allowed = [ 19999 ];
-                trustedInterfaces = [ "vms" "ctrs" ];
+                trustedInterfaces = [ "ctrs" ];
                extraRules = ''
                  table inet filter {
                    chain forward {
                      # Trust that the outer firewall has done the filtering!
                      iifname vms oifname ctrs accept
                    }
                  }
                '';
              };
              containers.instances =