Firewall comments

This commit is contained in:
Mark Janssen 2024-12-02 21:57:47 +01:00
parent b51372bfb2
commit 69547fc540
Signed by: foobar
GPG key ID: D8674D8FC4F69BD2
8 changed files with 10 additions and 19 deletions

View file

@ -20,7 +20,7 @@ trusted_ranges:
# - { v: ipv6, cidr: "2a02:166b:92::/48", comment: "bitlair" } # /48's kunnen niet in de ipset
- { v: ipv6, cidr: "2001:678:814:68::/64", comment: "bitlair wifi" }
- { v: ipv6, cidr: "2a05:2d01:0:4042::/64", comment: "bitlair servers" }
- { v: ipv6, cidr: "2a05:2d01:1337::/48", comment: "eventinfra v6-range" }
- { v: ipv6, cidr: "2a05:2d01:1337::/48", comment: "bitlair space v6-range" }
- { v: ipv6, cidr: "2a0e:5700:4:2::/64", comment: "foobar ipv6" }
trusted_ports:
- ssh

View file

@ -11,6 +11,5 @@ trusted_ports:
- microsoft-ds
group_nft_input:
- "# Allow traffic from wiki"
- "ip saddr 204.2.64.19 tcp dport { 4567 } accept"
- "ip saddr 204.2.64.19 tcp dport { 4567 } accept # Allow traffic from wiki"

View file

@ -7,8 +7,7 @@ git_server_title: Gitlair
git_server_bootstrap_cert: no
group_nft_input:
- "# Allow ssh(git) + web-traffic from world"
- "tcp dport { ssh, http, https } accept"
- "tcp dport { ssh, http, https } accept # Allow ssh(git) + web-traffic from world"
nginx_client_max_body_size: 4G

View file

@ -3,10 +3,8 @@ acme_san_domains:
- [ homeassistant.bitlair.nl ]
group_nft_input:
- "# Allow web-traffic from world"
- "tcp dport { http, https } accept"
- "# mqtt from world"
- "tcp dport { 1883 } accept"
- "tcp dport { http, https } accept # Allow web-traffic from world"
- "tcp dport { 1883 } accept # mqtt from world"
nginx_sites:
- server_name: "homeassistant.bitlair.nl"

View file

@ -4,8 +4,7 @@ acme_san_domains:
- ["{{ monitoring_domain }}"]
group_nft_input:
- "# Allow web-traffic from world"
- "tcp dport { http, https } accept"
- "tcp dport { http, https } accept # Allow web-traffic from world"
prometheus_scrape_configs:
- job_name: "node"

View file

@ -25,5 +25,4 @@ nginx_sites:
- "}"
group_nft_input:
- "# Allow web-traffic from world"
- "tcp dport { http, https } accept"
- "tcp dport { http, https } accept # Allow web-traffic from world"

View file

@ -3,5 +3,4 @@
manage_sshd_config: false
group_nft_input:
- "# Allow SSH from world"
- "tcp dport { ssh } accept"
- "tcp dport { ssh } accept # Allow SSH from world"

View file

@ -5,10 +5,8 @@ acme_san_domains:
- [ ravespace.nl ]
group_nft_input:
- "# Allow web-traffic from world"
- "tcp dport { http, https } accept"
- "# mqtt from world"
- "tcp dport { 1883 } accept"
- "tcp dport { http, https } accept # Allow web-traffic from world"
- "tcp dport { 1883 } accept # mqtt from world"
nginx_sites:
- server_name: "bitlair.nl"