From 35a63d7aaa7797c3ab87d8fcb6dfcf1376a0fcbf Mon Sep 17 00:00:00 2001
From: Mark Janssen <mark@sig-io.nl>
Date: Thu, 25 Jul 2024 10:53:44 +0200
Subject: [PATCH] Make trusted_ports list

---
 group_vars/all.yaml                  | 2 ++
 group_vars/fotos.yaml                | 4 ++++
 group_vars/mqtt.yaml                 | 6 +++---
 roles/nft/templates/nftables.conf.j2 | 4 ++--
 4 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/group_vars/all.yaml b/group_vars/all.yaml
index 18728b5..18707fc 100644
--- a/group_vars/all.yaml
+++ b/group_vars/all.yaml
@@ -21,6 +21,8 @@ trusted_ranges:
   - { v: ipv6, cidr: "2001:678:814:68::/64", comment: "bitlair wifi" }
   - { v: ipv6, cidr: "2a05:2d01:0:4042::/64", comment: "bitlair servers" }
   - { v: ipv6, cidr: "2a0e:5700:4:2::/64", comment: "foobar ipv6" }
+trusted_ports:
+  - ssh
 
 root_access:
   - ak
diff --git a/group_vars/fotos.yaml b/group_vars/fotos.yaml
index ce3dc05..ca34caa 100644
--- a/group_vars/fotos.yaml
+++ b/group_vars/fotos.yaml
@@ -6,6 +6,10 @@ root_access:
   - polyfloyd
   - wilco
 
+trusted_ports:
+  - ssh
+  - microsoft-ds
+
 group_nft_input:
   - "# Allow traffic from wiki"
   - "ip saddr 204.2.64.19 tcp dport { 4567 } accept"
diff --git a/group_vars/mqtt.yaml b/group_vars/mqtt.yaml
index 5b4604d..af51b73 100644
--- a/group_vars/mqtt.yaml
+++ b/group_vars/mqtt.yaml
@@ -3,6 +3,6 @@
 nft_group_rules:
   - { version: "ip6", from: [ '2001:470:7f95::/48' ], port: "1883" }
 
-group_nft_input:
-  - ip saddr @trusted4 tcp dport { 1883 } accept
-  - ip6 saddr @trusted6 tcp dport { 1883 } accept
+trusted_ports:
+  - ssh
+  - 1883
diff --git a/roles/nft/templates/nftables.conf.j2 b/roles/nft/templates/nftables.conf.j2
index 23481bb..ce52b65 100644
--- a/roles/nft/templates/nftables.conf.j2
+++ b/roles/nft/templates/nftables.conf.j2
@@ -73,8 +73,8 @@ set trusted6 {
         } accept
 
         # Open ssh only for trusted machines
-        ip saddr @trusted4 tcp dport { ssh } accept
-        ip6 saddr @trusted6 tcp dport { ssh } accept
+        ip saddr @trusted4 tcp dport { {{ trusted_ports|join(', ') }} } accept
+        ip6 saddr @trusted6 tcp dport { {{ trusted_ports|join(', ') }} } accept
 
         # Rules based on group-vars
 {% for custom in nft_group_rules %}