From 2106292bbe599b99316d9f9a721899fb4d4c8219 Mon Sep 17 00:00:00 2001 From: Gabriel Arazas Date: Tue, 14 Feb 2023 11:01:29 +0800 Subject: [PATCH] hosts/plover: add local area network to firewall --- hosts/plover/modules/services/coredns.nix | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/hosts/plover/modules/services/coredns.nix b/hosts/plover/modules/services/coredns.nix index 50a91cf7..f7f3a88a 100644 --- a/hosts/plover/modules/services/coredns.nix +++ b/hosts/plover/modules/services/coredns.nix @@ -6,7 +6,7 @@ # on you. Either that or we can easily move the resolver somewhere else. let inherit (config.networking) domain fqdn; - inherit (import ../hardware/networks.nix) interfaces clientNetworks serverNetworks secondaryNameServers; + inherit (import ../hardware/networks.nix) privateIPv6Prefix interfaces clientNetworks serverNetworks secondaryNameServers; dnsSubdomain = "ns1"; dnsDomainName = "${dnsSubdomain}.${domain}"; @@ -34,6 +34,10 @@ let (lib.attrValues secondaryNameServers); secondaryNameServersIPs = secondaryNameServersIPv4 ++ secondaryNameServersIPv6; + # The local network segments. + allowedIPs = secondaryNameServersIPv4 ++ [ "172.16.0.0/12" ]; + allowedIPv6s = secondaryNameServersIPv6 ++ [ "${privateIPv6Prefix}::/64" ]; + dnsListenAddresses = with interfaces; [ internal.IPv4.address internal.IPv6.address @@ -69,8 +73,8 @@ in # Setting up the firewall to make less things to screw up in case anything is # screwed up. networking.firewall.extraInputRules = '' - meta l4proto {tcp, udp} th dport 53 ip saddr { ${lib.concatStringsSep ", " secondaryNameServersIPv4} } accept comment "Accept DNS queries from secondary nameservers" - meta l4proto {tcp, udp} th dport 53 ip6 saddr { ${lib.concatStringsSep ", " secondaryNameServersIPv6} } accept comment "Accept DNS queries from secondary nameservers" + meta l4proto {tcp, udp} th dport 53 ip saddr { ${lib.concatStringsSep ", " allowedIPs} } accept comment "Accept DNS queries from secondary nameservers" + meta l4proto {tcp, udp} th dport 53 ip6 saddr { ${lib.concatStringsSep ", " allowedIPv6s} } accept comment "Accept DNS queries from secondary nameservers" ''; # The main DNS server.