From: Zoltán Felleg <zoltan.felleg@userrendszerhaz.hu>
Date: Wed, 9 Mar 2022 12:24:22 +0000 (+0100)
Subject: Updated efg.pm (minor tweaks).
X-Git-Url: http://git.useribm.hu/?a=commitdiff_plain;h=ebf697e334820dcff6d7f566966ca82618c1e69e;p=user-lxc.git

Updated efg.pm (minor tweaks).
---

diff --git a/sources/efg.pm/c3d/firstboot/data/nftables.config b/sources/efg.pm/c3d/firstboot/data/nftables.config
index a553402..fc8f03c 100644
--- a/sources/efg.pm/c3d/firstboot/data/nftables.config
+++ b/sources/efg.pm/c3d/firstboot/data/nftables.config
@@ -137,7 +137,7 @@ create chain ip6 efg-filter output { type filter hook output priority 0; policy
 
 add rule ip efg-nat prerouting \
     iifname $EXTERNAL_ACE_IF \
-    ip daddr $PUBLIC_ACE_VPN_IPV4 udp dport 1194 \
+    ip daddr $PUBLIC_ACE_VPN_IPV4 udp dport openvpn \
     counter dnat $VPN_INTERNAL_IPV4 comment "Incoming VPN traffic"
 
 #add rule ip efg-nat prerouting \
@@ -147,12 +147,12 @@ add rule ip efg-nat prerouting \
 
 add rule ip efg-nat prerouting \
     iifname $EXTERNAL_ACE_IF udp sport 1024-65535 \
-    ip daddr $PUBLIC_ACE_NS_IPV4 udp dport 53 \
+    ip daddr $PUBLIC_ACE_NS_IPV4 udp dport domain \
     counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (udp)"
 
 add rule ip efg-nat prerouting \
     iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
-    ip daddr $PUBLIC_ACE_NS_IPV4 tcp dport 53 \
+    ip daddr $PUBLIC_ACE_NS_IPV4 tcp dport domain \
     counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (tcp)"
 
 add rule ip efg-nat prerouting \
@@ -167,12 +167,12 @@ add rule ip efg-nat prerouting \
 
 add rule ip efg-filter input \
     ct state established \
-    iifname $PERIMETER_IF ip saddr $PNS_PERIMETER_IPV4 udp sport 53 \
+    iifname $PERIMETER_IF ip saddr $PNS_PERIMETER_IPV4 udp sport domain \
     ip daddr $EFG_PERIMETER_IPV4 udp dport 1024-65535 \
     counter accept comment "DNS replies"
 add rule ip6 efg-filter input \
     ct state established \
-    iifname $PERIMETER_IF ip6 saddr $PNS_PERIMETER_IPV6 udp sport 53 \
+    iifname $PERIMETER_IF ip6 saddr $PNS_PERIMETER_IPV6 udp sport domain \
     ip6 daddr $EFG_PERIMETER_IPV6 udp dport 1024-65535 \
     counter accept comment "DNS replies"
 
@@ -244,12 +244,12 @@ add rule ip efg-filter forward \
 
 add rule ip efg-filter forward \
     iifname $EXTERNAL_ACE_IF \
-    oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport 1194 \
+    oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport openvpn \
     counter accept comment "Incoming VPN traffic (ACE)"
 
 add rule ip efg-filter forward \
     iifname $EXTERNAL_TELEKOM_IF \
-    oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport 1194 \
+    oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport openvpn \
     counter accept comment "Incoming VPN traffic (TELEKOM)"
 
 add rule ip efg-filter forward \
@@ -276,89 +276,89 @@ add rule ip efg-filter forward \
 
 add rule ip efg-filter forward \
     iifname $EXTERNAL_ACE_IF udp sport 1024-65535 \
-    oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 udp dport 53 \
+    oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 udp dport domain \
     counter accept comment "Incoming DNS requests/notifications (udp) (ACE)"
 
 add rule ip efg-filter forward \
     iifname $EXTERNAL_TELEKOM_IF udp sport 1024-65535 \
-    oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 udp dport 53 \
+    oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 udp dport domain \
     counter accept comment "Incoming DNS requests/notifications (udp) (TELEKOM)"
 
 add rule ip efg-filter forward \
     ct state established, related \
-    iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 udp sport 53 \
+    iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 udp sport domain \
     oifname $EXTERNAL_ACE_IF udp dport 1024-65535 \
     counter accept comment "Outgoing DNS replies (udp) (ACE)"
 
 add rule ip efg-filter forward \
     ct state established, related \
-    iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 udp sport 53 \
+    iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 udp sport domain \
     oifname $EXTERNAL_TELEKOM_IF udp dport 1024-65535 \
     counter accept comment "Outgoing DNS replies (udp) (TELEKOM)"
 
 add rule ip efg-filter forward \
     iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
-    oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 tcp dport 53 \
+    oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 tcp dport domain \
     counter accept comment "Incoming DNS requests (tcp) (ACE)"
 
 add rule ip efg-filter forward \
     iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \
-    oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 tcp dport 53 \
+    oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 tcp dport domain \
     counter accept comment "Incoming DNS requests (tcp) (TELEKOM)"
 
 add rule ip efg-filter forward \
     ct state established, related \
-    iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 tcp sport 53 \
+    iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 tcp sport domain \
     oifname $EXTERNAL_ACE_IF tcp dport 1024-65535 \
     counter accept comment "Outgoing DNS replies (tcp) (ACE)"
 
 add rule ip efg-filter forward \
     ct state established, related \
-    iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 tcp sport 53 \
+    iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 tcp sport domain \
     oifname $EXTERNAL_TELEKOM_IF tcp dport 1024-65535 \
     counter accept comment "Outgoing DNS replies (tcp) (TELEKOM)"
 
 add rule ip efg-filter forward \
     iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp sport 1024-65535 \
-    oifname $EXTERNAL_ACE_IF udp dport 53 \
+    oifname $EXTERNAL_ACE_IF udp dport domain \
     counter accept comment "Outgoing DNS requests/notifications (udp) (ACE)"
 
 add rule ip efg-filter forward \
     iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp sport 1024-65535 \
-    oifname $EXTERNAL_TELEKOM_IF udp dport 53 \
+    oifname $EXTERNAL_TELEKOM_IF udp dport domain \
     counter accept comment "Outgoing DNS requests/notifications (udp) (TELEKOM)"
 
 add rule ip efg-filter forward \
     ct state established, related \
-    iifname $EXTERNAL_ACE_IF udp sport 53 \
+    iifname $EXTERNAL_ACE_IF udp sport domain \
     oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 1024-65535 \
     counter accept comment "Incoming DNS replies (udp) (ACE)"
 
 add rule ip efg-filter forward \
     ct state established, related \
-    iifname $EXTERNAL_TELEKOM_IF udp sport 53 \
+    iifname $EXTERNAL_TELEKOM_IF udp sport domain \
     oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 1024-65535 \
     counter accept comment "Incoming DNS replies (udp) (TELEKOM)"
 
 add rule ip efg-filter forward \
     iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \
-    oifname $EXTERNAL_ACE_IF tcp dport 53 \
+    oifname $EXTERNAL_ACE_IF tcp dport domain \
     counter accept comment "Outgoing DNS requests (tcp) (ACE)"
 
 add rule ip efg-filter forward \
     iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \
-    oifname $EXTERNAL_TELEKOM_IF tcp dport 53 \
+    oifname $EXTERNAL_TELEKOM_IF tcp dport domain \
     counter accept comment "Outgoing DNS requests (tcp) (TELEKOM)"
 
 add rule ip efg-filter forward \
     ct state established, related \
-    iifname $EXTERNAL_ACE_IF tcp sport 53 \
+    iifname $EXTERNAL_ACE_IF tcp sport domain \
     oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \
     counter accept comment "Incoming DNS replies (tcp) (ACE)"
 
 add rule ip efg-filter forward \
     ct state established, related \
-    iifname $EXTERNAL_TELEKOM_IF tcp sport 53 \
+    iifname $EXTERNAL_TELEKOM_IF tcp sport domain \
     oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \
     counter accept comment "Incoming DNS replies (tcp) (TELEKOM)"
 
@@ -397,12 +397,12 @@ add rule ip6 efg-filter forward \
 add rule ip efg-filter output \
     ct state new \
     ip saddr $EFG_PERIMETER_IPV4 udp sport 1024-65535 \
-    oifname $PERIMETER_IF ip daddr $PNS_PERIMETER_IPV4 udp dport 53 \
+    oifname $PERIMETER_IF ip daddr $PNS_PERIMETER_IPV4 udp dport domain \
     counter accept comment "DNS requests"
 add rule ip6 efg-filter output \
     ct state new \
     ip6 saddr $EFG_PERIMETER_IPV6 udp sport 1024-65535 \
-    oifname $PERIMETER_IF ip6 daddr $PNS_PERIMETER_IPV6 udp dport 53 \
+    oifname $PERIMETER_IF ip6 daddr $PNS_PERIMETER_IPV6 udp dport domain \
     counter accept comment "DNS requests"
 
 add rule ip efg-filter output \