From 56e48aa93e39baf5423942c96a0b2bf3c2a9f058 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Date: Mar 27 2024 00:28:03 +0000
Subject: Allow global HTTPS access to Hel


Needed for kanidm-unixd which will be deployed on all machines to
reach idm.i.o.o.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>

---

diff --git a/salt/files/nftables/asgard/zones/00_global.nft b/salt/files/nftables/asgard/zones/00_global.nft
index 527ee1b..97f5c5c 100644
--- a/salt/files/nftables/asgard/zones/00_global.nft
+++ b/salt/files/nftables/asgard/zones/00_global.nft
@@ -17,8 +17,8 @@
   # ping to witch1/downloadtmp/freeipa
   ip6 saddr @lan_ipv6 ip6 daddr { $witch1, $downloadtmp, $host6_freeipa, $host6_freeipa2 } ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply } accept
 
-  # DNS/NTP/LDAPS/SMTP (to hel)
-  ip6 daddr @host6_hel tcp dport { domain, ntp, ldaps, smtp } accept
+  # DNS/HTTPS/NTP/LDAPS/SMTP (to hel)
+  ip6 daddr @host6_hel tcp dport { domain, https, ntp, ldaps, smtp } accept
   ip6 daddr @host6_hel udp dport { domain, ntp } accept
 
   # Salt (to witch1)
@@ -52,8 +52,8 @@
   # ping to witch1/freeipa
   ip daddr { $witch1_mapped, $host4_freeipa } ip protocol icmp icmp type { echo-request, echo-reply } accept
 
-  # DNS/NTP/LDAPS/SMTP (to hel)
-  ip daddr @host4_hel tcp dport { domain, ntp, ldaps, smtp } accept
+  # DNS/HTTPS/NTP/LDAPS/SMTP (to hel)
+  ip daddr @host4_hel tcp dport { domain, https, ntp, ldaps, smtp } accept
   ip daddr @host4_hel udp dport { domain, ntp } accept
 
   # Salt (to witch1)