diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2023-04-23 20:14:00 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2023-04-23 20:14:00 +0200 |
| commit | e637f7a34bad035f57a21a12c8574e7b07a41fb9 (patch) | |
| tree | 47cfa6ad6725b2915279c1e85e61ef762ee98224 /inventory | |
| parent | ch-jump: limit jump targets for c3voc using nftables (diff) | |
ch-jump: prepare firewall rules for ipv6
Diffstat (limited to 'inventory')
| -rw-r--r-- | inventory/host_vars/ch-jump.yml | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/inventory/host_vars/ch-jump.yml b/inventory/host_vars/ch-jump.yml index ab03c1a4..8873864b 100644 --- a/inventory/host_vars/ch-jump.yml +++ b/inventory/host_vars/ch-jump.yml @@ -53,10 +53,11 @@ sshd_jump_users: nftables_base_rules: public-services: | - table ip filter { + table inet filter { chain sshd-jump { type filter hook output priority filter; ct state vmap { established: accept, related: accept, invalid: drop } - skuid c3voc ip daddr != { {{ network_zones.c3voc.prefix }} } reject + skuid c3voc ip daddr != { {{ network_zones.c3voc.prefix }} } reject with icmp type admin-prohibited + # skuid c3voc ip6 daddr != { } reject with icmpv6 type admin-prohibited } } |