create special network for crusader which cannot ping lan

2025-07-22 10:25:34 +02:00
parent fd22ef10cc
commit e7e9b34464
3 changed files with 114 additions and 48 deletions
--- a/incus.nix
+++ b/incus.nix
@@ -4,11 +4,29 @@
  virtualisation.incus.enable = true;
  networking = {
    nftables.enable = true;
-    firewall.interfaces = {
-      incusbr0 = {
-        allowedTCPPorts = [ 53 67 ];
-        allowedUDPPorts = [ 53 67 ];
+    firewall = {
+      enable = true;
+      trustedInterfaces = [ "incusbr1" ];
+      filterForward = true;
+
+      extraForwardRules = ''
+        # if crusader tries to go to varian or truenas, BLOCK
+        iifname "incusbr1" oifname "incusbr0" drop
+        iifname "incusbr1" oifname "enp4s0" ip daddr 192.168.0.0/16 drop
+      '';
+
+      interfaces = {
+        incusbr0 = {
+          allowedTCPPorts = [ 53 67 ];
+          allowedUDPPorts = [ 53 67 ];
+        };
+        incusbr1 = {
+          allowedTCPPorts = [ 53 ];
+          allowedUDPPorts = [ 53 67 68 ];
+        };
      };
+
+      
    };
  };