###################################################
## MANAGED BY SALT in salt/files/nftables/asgard ##
###################################################
chain global {
ct state invalid drop
ct state established, related accept
iif lo accept
oif lo accept
ip6 saddr fe80::/10 ip6 nexthdr icmpv6 icmpv6 type { mld2-listener-report, nd-router-solicit, nd-neighbor-advert } accept
}
chain global_internal {
icmpv6 type { mld2-listener-report, nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert } accept
# ping to witch1/downloadtmp/freeipa
ip6 saddr @lan_ipv6 ip6 daddr { $witch1, $downloadtmp, $host6_freeipa, $host6_freeipa2 } ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply } accept
# DNS/HTTPS/NTP/LDAPS/SMTP (to hel)
ip6 daddr @host6_hel tcp dport { domain, https, ntp, ldaps, smtp } accept
ip6 daddr @host6_hel udp dport { domain, ntp } accept
# Salt (to witch1)
ip6 daddr $witch1 tcp dport 4505-4506 accept
# LDAPS (to freeipa)
ip6 daddr { $host6_freeipa, $host6_freeipa2 } tcp dport ldaps accept
# Repositories
ip6 daddr $downloadtmp tcp dport http accept
# Syslog
ip6 daddr $host6_monitor udp dport syslog accept
ip6 daddr $host6_monitor tcp dport 514 accept # why tcp in addition to udp??
# downloadcontent.o.o ACL
ip6 saddr @acl6_internet_downloadcontent ip6 daddr @host6_downloadcontent icmpv6 type { echo-request, echo-reply } accept
ip6 saddr @acl6_internet_downloadcontent ip6 daddr @host6_downloadcontent tcp dport https accept
# id.o.o ACL (OpenID) (usually only clients on the internet should need to connect to id.o.o, but some internal machines use it to query metadata?)
ip6 saddr @acl6_internet_idoo ip6 daddr @cloud6_idoo icmpv6 type { echo-request, echo-reply } accept
ip6 saddr @acl6_internet_idoo ip6 daddr @cloud6_idoo tcp dport https accept
# traceroute
udp dport != { 53, 123, 514 } ip protocol udp log prefix "[UDP Rejected] " reject
udp dport != { 53, 1053, 123, 514, 3780, 60000-61000 } ip6 nexthdr udp log prefix "[UDP Rejected] " reject
}
chain global_internal_legacy {
# ping to witch1/freeipa
ip daddr { $witch1_mapped, $host4_freeipa } ip protocol icmp icmp type { echo-request, echo-reply } accept
# DNS/HTTPS/NTP/LDAPS/SMTP (to hel)
ip daddr @host4_hel tcp dport { domain, https, ntp, ldaps, smtp } accept
ip daddr @host4_hel udp dport { domain, ntp } accept
# Salt (to witch1)
ip daddr $witch1_mapped tcp dport 4505-4506 accept
# LDAPS (to freeipa)
ip daddr $host4_freeipa tcp dport ldaps accept
# Syslog
ip daddr $host4_monitor tcp dport 514 accept
# traceroute
udp dport != { 53, 123, 514 } ip protocol udp log prefix "[UDP Rejected] " reject
}