diff options
| author |  Joe Banks <[email protected]> | 2024-07-27 12:44:19 +0100 |
|---|---|---|
| committer | Joe Banks <[email protected]> | 2024-07-31 13:25:53 +0100 |
| commit | 75b9f2a395fe042018053031bc3e99b771b60889 (patch) | |
| tree | 3b19d3836bbf1af88bf222aa4fe0373fea4139f5 | |
| parent | postfix: update DNS to new postfix mailserver (diff) | |
postfix: add firewall rules
| -rw-r--r-- | ansible/group_vars/all/nftables.yml | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/ansible/group_vars/all/nftables.yml b/ansible/group_vars/all/nftables.yml index 0e94af9..64d7976 100644 --- a/ansible/group_vars/all/nftables.yml +++ b/ansible/group_vars/all/nftables.yml @@ -14,6 +14,16 @@ nftables_configuration: | } } + {% if "mail" in group_names %} + set mail_accepted { + type inet_service + elements = { + smtp, + smtps + } + } + {% endif %} + {% if "databases" in group_names %} # Access control for database server set possible_lke_ipv4_addrs { @@ -70,6 +80,14 @@ nftables_configuration: | iifname {{ ansible_default_ipv6.interface }} ip6 saddr @possible_lke_ipv6_addrs tcp dport postgresql ct state new accept {% endif %} {% endif %} + + {% if "mail" in group_names %} + # Inbound mail + iifname {{ ansible_default_ipv4.interface }} tcp dport @mail_accepted ct state new accept + {% if ansible_default_ipv6 is defined %} + iifname {{ ansible_default_ipv6.interface }} tcp dport @mail_accepted ct state new accept + {% endif %} + {% endif %} } chain forward { |