From 5112eab4da5b24db8dc76be7d3b538f1d2c353d5 Mon Sep 17 00:00:00 2001
From: Daniel Barlow <dan@telent.net>
Date: Thu, 10 Oct 2024 18:18:23 +0100
Subject: [PATCH] apply incoming-allowed-ip[46] rules to input as well as
 forward pkts

this makes it possible to open ports on the router itself
---
 modules/firewall/default-rules.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/firewall/default-rules.nix b/modules/firewall/default-rules.nix
index 88441e1..8fa4d3b 100644
--- a/modules/firewall/default-rules.nix
+++ b/modules/firewall/default-rules.nix
@@ -90,7 +90,7 @@ in {
       # accept inbound from the WAN
       (if allow-incoming
        then accept "oifname \"int\" iifname \"ppp0\""
-       else "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"
+       else "iifname \"ppp0\" jump incoming-allowed-ip6"
       )
       # allow all outbound and any inbound that's part of a
       # recognised (outbound-initiated) flow
@@ -210,7 +210,7 @@ in {
       "icmp type { echo-request, echo-reply } accept"
       "iifname int jump input-ip4-lan"
       "iifname ppp0 jump input-ip4-wan"
-      "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip4"
+      "iifname ppp0 jump incoming-allowed-ip4"
       "ct state established,related accept"
       "log prefix \"DENIED CHAIN=input-ip4 \""
     ];