!tCyGickeVqkHsYjWnh:nixos.org

NixOS Networking

788 Members
Declaratively manage your switching, routing, wireless, tunneling and more. | Don't rely on `networking.*` use systemd-networkd and NetworkManager instead. | Set `SYSTEMD_LOG_LEVEL=debug` to debug networking issues with networkd | No bad nft puns, please. | Room recommendations: #sysops:nixos.org227 Servers

Load older messages


SenderMessageTime
17 Jan 2025
@magic_rb:matrix.redalder.orgmagic_rbim running nixos if thats what youre asking22:54:59
@magic_rb:matrix.redalder.orgmagic_rbalso the 3 boxes except for KPN box are all virtual, theyre network namespaces22:55:15
@magic_rb:matrix.redalder.orgmagic_rbnot actual physical anythings, to create that complex beast i use https://ifstate.net22:55:32
@magic_rb:matrix.redalder.orgmagic_rb(the only declarative tool which understands what a network namespace is)22:55:47
@telometto:matrix.orgzenoThat's pretty cool!22:56:21
@telometto:matrix.orgzenoI might have to go the same route22:56:31
@telometto:matrix.orgzenoI actually have a regular Pi 4 laying around22:56:43
@magic_rb:matrix.redalder.orgmagic_rbthe rpi N are kind of.. shit :)22:57:00
@magic_rb:matrix.redalder.orgmagic_rbbut if youve got it already put it to use for sure22:57:12
@magic_rb:matrix.redalder.orgmagic_rbim using my pi 3 as a ipmi gateway22:57:21
@telometto:matrix.orgzeno Yeah, I have and it's not doing anything, so I might as well use it for something 22:57:36
@magic_rb:matrix.redalder.orgmagic_rbwould make a good paper weight :D22:57:49
@magic_rb:matrix.redalder.orgmagic_rboka, i gotta go sleep too, i made progress on my bash script rewrite in haskell 22:58:25
@magic_rb:matrix.redalder.orgmagic_rbin the mean time, feel free to ping me to discuss networking, bounce ideas, whatever22:58:39
@telometto:matrix.orgzenoI'd love to! I will definitely take you up on the offer 😉22:59:06
@telometto:matrix.orgzenoHave a good night and, again, thank you 😄22:59:19
@magic_rb:matrix.redalder.orgmagic_rbno worries22:59:33
@magic_rb:matrix.redalder.orgmagic_rbhave a good one22:59:35
18 Jan 2025
@rajil:rajils.comtrumee joined the room.13:16:57
@rajil:rajils.comtrumee changed their display name from . to trumee.13:47:11
@rajil:rajils.comtrumee

I have an upstream opnsense router which manages flow between various vlans. I still need fail2ban on the server. If i turn on the networking.firewall.enable it stops the traffic flow. I had to disable it and instead specify a ruleset,

networking.nftables.ruleset=''
table inet mytable {
      
    chain input {
        type filter hook input priority 0; policy drop;
      
        # Allow loopback traffic
        iif lo accept
      
        # Allow established and related connections
        ct state established,related accept 
      
        iifname "vlan2br" accept
        iifname "vlan300br" accept
        iifname "vlan400br" accept
        iifname "vlan500br" accept
        iifname "vlan600br" accept

        # Drop all other input traffic
        counter drop
    }

      # Allow all outgoing connections.
      chain output {
        type filter hook output priority 0;
        accept
      }
      
      chain forward {
        type filter hook forward priority 0;
        accept
      }
}

'';

If i turn on the nixos-fw it inserts the following which stops the flow,

        chain rpfilter {
                type filter hook prerouting priority mangle + 10; policy drop;
                meta nfproto ipv4 udp sport . udp dport { 68 . 67, 67 . 68 } accept comment "DHCPv4 client/server"
                fib saddr . mark . iif oif exists accept
                jump rpfilter-allow
        }

What does it do and can i remove this?

14:05:28
@hexa:lossy.networkhexa (clat on linux when)Redacted or Malformed Event14:06:52
@hexa:lossy.networkhexa (clat on linux when)reverse path filtering is used to drop traffic from source addresses arriving on an interface, that you wouldn't use to reach those addresses over14:08:30
@hexa:lossy.networkhexa (clat on linux when)* reverse path filtering is used to filter traffic from source addresses arriving on an interface, that you wouldn't use to reach those addresses over14:09:01
@hexa:lossy.networkhexa (clat on linux when)* reverse path filtering is used to filter traffic from source addresses arriving on an interface that you wouldn't use to reach those addresses over14:09:14
@rajil:rajils.comtrumeeIs it possible to remove it?14:11:45
@hexa:lossy.networkhexa (clat on linux when)https://search.nixos.org/options?channel=24.11&show=networking.firewall.checkReversePath&from=0&size=50&sort=relevance&type=packages&query=reversepath14:12:55
19 Jan 2025
@rajil:rajils.comtrumee

Is this incorrect routing?

07:25:10.320465 enp129s0 P   IP 172.16.1.28 > 172.16.3.4: ICMP echo request, id 111, seq 1, length 64
07:25:10.320465 vlan300 P   IP 172.16.1.28 > 172.16.3.4: ICMP echo request, id 111, seq 1, length 64
07:25:10.320465 vlan300br In  IP 172.16.1.28 > 172.16.3.4: ICMP echo request, id 111, seq 1, length 64
07:25:10.320519 vlan2br Out IP 172.16.3.4 > 172.16.1.28: ICMP echo reply, id 111, seq 1, length 64
07:25:10.320523 vlan2 Out IP 172.16.3.4 > 172.16.1.28: ICMP echo reply, id 111, seq 1, length 64
01:58:03
@rgrunbla:matrix.org@rgrunbla:matrix.org removed their display name Rémy Grünblatt.09:41:25
@rgrunbla:matrix.org@rgrunbla:matrix.org left the room.09:41:38

There are no newer messages yet.


Back to Room ListRoom Version: 6