c3voc: disallow outgoing connections from voc to internal nets

author: Christian Pointner <equinox@spreadspace.org> 2023-04-22 16:36:02 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2023-04-22 16:36:19 +0200
commit: 672b76f3c277c5b99e156836a6da88fa997668f7 (patch)
tree: 331e527730c0b6b55a606a5ec1af505b3353fc9a
parent: apt-repo/riot: rename to element and update key (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/inventory/host_vars/ch-gw-c3voc.yml b/inventory/host_vars/ch-gw-c3voc.yml
index 60d833bf..ec85f56c 100644
--- a/inventory/host_vars/ch-gw-c3voc.yml
+++ b/inventory/host_vars/ch-gw-c3voc.yml
@@ -77,6 +77,7 @@ openwrt_mixin:
       flush ruleset
 
       define nic_svc = eth1
+      define prefixes_internal = { 192.168.0.0/16 }
 
       define nic_c3voc = eth0
       define prefix_c3voc = {{ network_zones.c3voc.prefix }}
@@ -108,7 +109,7 @@ openwrt_mixin:
           type filter hook forward priority filter; policy drop;
           ct state vmap { established: accept, related: accept, invalid: drop }
           iif $nic_svc oif $nic_c3voc ip daddr $prefix_c3voc accept
-          iif $nic_c3voc ip saddr $prefix_c3voc oifname $nic_svc accept
+          iif $nic_c3voc ip saddr $prefix_c3voc oifname $nic_svc ip daddr != $prefixes_internal accept
         }
       }
author	Christian Pointner <equinox@spreadspace.org>	2023-04-22 16:36:02 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2023-04-22 16:36:19 +0200
commit	672b76f3c277c5b99e156836a6da88fa997668f7 (patch)
tree	331e527730c0b6b55a606a5ec1af505b3353fc9a
parent	apt-repo/riot: rename to element and update key (diff)