From aca3e116311143371facd4413007d826f88721a1 Mon Sep 17 00:00:00 2001
From: Daniel Barlow <dan@telent.net>
Date: Thu, 8 Feb 2024 22:59:47 +0000
Subject: [PATCH] firewall: make ipv4 work

---
 examples/demo-firewall.nix | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/examples/demo-firewall.nix b/examples/demo-firewall.nix
index 4319fce..3f381a5 100644
--- a/examples/demo-firewall.nix
+++ b/examples/demo-firewall.nix
@@ -184,8 +184,9 @@ in {
     family = "ip";
 
     rules = [
-      (accept "udp dport 547")
-      (accept "tcp dport 22")
+      (accept "udp dport 67")   # dhcp
+      (accept "udp dport 53")   # dns
+      (accept "tcp dport 22")   # ssh
     ];
   };
 
@@ -194,6 +195,7 @@ in {
     family = "ip";
 
     rules = [
+      (accept "udp sport 53")
     ];
   };
 
@@ -204,10 +206,11 @@ in {
     hook = "input";
     rules = [
       "iifname lo accept"
+      "icmp type { echo-request, echo-reply } accept"
       "iifname int jump input-ip4-lan"
       "iifname ppp0 jump input-ip4-wan"
       "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip4"
-      "ct state vmap established,related accept"
+      "ct state established,related accept"
       "log prefix \"DENIED CHAIN=input-ip4 \""
     ];
   };
@@ -219,7 +222,7 @@ in {
     hook = "forward";
     rules = [
       "iifname \"int\" accept"
-      "ct state vmap { established : accept, related : accept, invalid : drop }"
+      "ct state established,related accept"
       "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip4"
       "log prefix \"DENIED CHAIN=forward-ip4 \""
     ];