firewall: add convenience nftables set for AD ports

Probably not all of these are necessary. Would be nice to allow configuring this from the app.
2024-09-19 16:25:51 +02:00 · 2024-09-19 16:25:51 +02:00 · 6c18e2ff94
commit 6c18e2ff94
parent ae1cfd5337
1 changed files with 24 additions and 0 deletions
--- a/roles/firewall/templates/nftables.nft.j2
+++ b/roles/firewall/templates/nftables.nft.j2
@ -13,6 +13,30 @@ table inet filter {
        elements = { {{ ifaces_fabric | product(['2', '4']) | map('join', '.') | join(', ') }} }
    }

+    # convenience port set definitions
+    set ad-ports { # https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/config-firewall-for-ad-domains-and-trusts
+        type inet_proto . inet_service
+        flags interval
+        elements = {
+            tcp . 88,
+            tcp . 135,
+            tcp . 389,
+            tcp . 445,
+            tcp . 464,
+            tcp . 636,
+            tcp . 3268-3269,
+            tcp . 5000-5100,
+            tcp . 9389,
+            tcp . 22222-22224,
+            tcp . 49152-65535,
+            udp . 88,
+            udp . 135,
+            udp . 389,
+            udp . 464,
+            udp . 3269
+        }
+    }
+
    chain input {
        type filter hook input priority 0; policy drop