From 6dcae194d7adf398a5fec773fb039d5019946a37 Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Mon, 8 Apr 2024 15:03:29 +0200 Subject: [PATCH] firewall: accept VPN connections from inside also MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit People tend to leave WireGuard tunnels active and we don’t want things to become unreachable when moving to one of the inside networks. --- roles/firewall/templates/nftables.nft.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/firewall/templates/nftables.nft.j2 b/roles/firewall/templates/nftables.nft.j2 index 060c1bc..d0b0892 100644 --- a/roles/firewall/templates/nftables.nft.j2 +++ b/roles/firewall/templates/nftables.nft.j2 @@ -41,8 +41,8 @@ table inet filter { iif @link udp dport 3784 ip6 saddr fe80::/10 accept \ comment "Accept link-local BFD on fabric links" - iif @outside udp dport 51820 accept \ - comment "Accept WireGuard from outside" + udp dport 51820 accept \ + comment "Accept WireGuard from anywhere" iif {{ iface_sync }} ip6 saddr fe80::/10 udp dport 3780 accept \ comment "Accept connection tracking sync data"