From e637f7a34bad035f57a21a12c8574e7b07a41fb9 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 23 Apr 2023 20:14:00 +0200 Subject: ch-jump: prepare firewall rules for ipv6 --- inventory/host_vars/ch-jump.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'inventory/host_vars/ch-jump.yml') diff --git a/inventory/host_vars/ch-jump.yml b/inventory/host_vars/ch-jump.yml index ab03c1a4..8873864b 100644 --- a/inventory/host_vars/ch-jump.yml +++ b/inventory/host_vars/ch-jump.yml @@ -53,10 +53,11 @@ sshd_jump_users: nftables_base_rules: public-services: | - table ip filter { + table inet filter { chain sshd-jump { type filter hook output priority filter; ct state vmap { established: accept, related: accept, invalid: drop } - skuid c3voc ip daddr != { {{ network_zones.c3voc.prefix }} } reject + skuid c3voc ip daddr != { {{ network_zones.c3voc.prefix }} } reject with icmp type admin-prohibited + # skuid c3voc ip6 daddr != { } reject with icmpv6 type admin-prohibited } } -- cgit v1.2.3