From c88ee8bd9977d009d284fa1c4dce9023972d0c59 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 15 Jul 2018 12:16:43 -0500
Subject: [PATCH] dch-gw: Restrict traffic from Management network

Traffic from the management network is not allowed except for specific
services. NTP is required of course, for time synchronization with the
pyrocufflink.blue domain controllers. RADIUS is necessary for WiFi
authentication, which is also handled by the DCs.
---
 roles/dch-gw/templates/forward.nft.j2 | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/roles/dch-gw/templates/forward.nft.j2 b/roles/dch-gw/templates/forward.nft.j2
index c5f386e..f74faba 100644
--- a/roles/dch-gw/templates/forward.nft.j2
+++ b/roles/dch-gw/templates/forward.nft.j2
@@ -1,5 +1,13 @@
 {#- vim: set sw=4 ts=4 sts=4 et : #}
 table inet filter {
+    set domain_controllers {
+        type ipv4_addr
+        elements = {
+            dc0.pyrocufflink.blue,
+            dc1.pyrocufflink.blue,
+        }
+    }
+
     set vpn_subnets {
         type ipv4_addr
         flags interval
@@ -15,6 +23,8 @@ table inet filter {
         ct state established,related accept
         iifname {{ dch_networks.guest.router_iface }} oif != {{ internet_iface }} drop
         iif != {{ internet_iface }} oifname {{ dch_networks.guest.router_iface }} drop
+        iifname {{ dch_networks.mgmt.router_iface }} ip daddr @domain_controllers udp dport { ntp, radius } counter accept
+        iifname {{ dch_networks.mgmt.router_iface }} counter drop
         iif != {{ internet_iface }} oif != {{ internet_iface }} counter accept
         iif {{ internet_iface }} ip saddr @vpn_subnets counter accept
         iif != {{ internet_iface }} ip daddr @vpn_subnets counter accept