firewall: allow connections from master with NATted IP

This commit is contained in:
Timotej Lazar 2024-02-06 09:19:49 +01:00
parent f54b23f49a
commit 91afaec9c2

View file

@ -25,8 +25,15 @@ table inet filter {
iif mgmt tcp dport ssh accept \ iif mgmt tcp dport ssh accept \
comment "Accept SSH from management VRF" comment "Accept SSH from management VRF"
tcp dport ssh ip saddr {{ hostvars[master]['ansible_host'] }} accept \ # allow SSH connections from firewall master’s IPs
comment "Accept SSH from firewall master" {% for iface in hostvars[master].interfaces %}
{% for address in iface.ip_addresses | selectattr('family.value', '==', 4) %}
tcp dport ssh {{ 'ip' if address.family.value == 4 else 'ip6' }} saddr {{ address.address | ipaddr('address') }} accept
{% for nat_address in address.nat_outside %}
tcp dport ssh ip saddr {{ nat_address.address | ipaddr('address') }} accept
{% endfor %}
{% endfor %}
{% endfor %}
iif @link tcp dport bgp ip6 saddr fe80::/10 accept \ iif @link tcp dport bgp ip6 saddr fe80::/10 accept \
comment "Accept link-local BGP on fabric links" comment "Accept link-local BGP on fabric links"