X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=transmission-firewall%2Fnetns.rules;h=96b404f9251425a6fe69d08f7bc1891342937541;hb=0b6d44c7f3d567e0a26138509c8a24cb57c69b50;hp=a8c8c2c819eacde380cf47a15e585af7fa2a28e2;hpb=5ea3283142670f2746296021f885547f1ac7b163;p=distro-setup

diff --git a/transmission-firewall/netns.rules b/transmission-firewall/netns.rules
index a8c8c2c..96b404f 100644
--- a/transmission-firewall/netns.rules
+++ b/transmission-firewall/netns.rules
@@ -1,3 +1,7 @@
+# note, transmission specific thing here is to
+# allow one extra port for transmission-remote, but thats no big deal,
+# might as well use this in general for openvpn-nn
+
 # format from iptables-save. [0:0] are comments of packet-count/byte-count
 # which I removed
 *filter
@@ -7,7 +11,7 @@
 # from ip route, we can deduce that traffic goes to the
 # local 10.8.0.x tun0, then to the normal interface.
 # For the normal interface, we allow only some ports:
-# dns, vpn, transmission-remote.
+# dns for root user, vpn, and transmission-remote.
 # dns is only used to resolve the vpn server ip on initial
 # connection.
 # rules are mirror on input and output, just for extra safety,
@@ -29,13 +33,19 @@
 -A OUTPUT -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT
 -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
 
+# transmission-remote
 -A OUTPUT -p tcp -m tcp --sport 9091 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
 
 # 1195 is used for the secondary vpn server
--A OUTPUT -p udp -m udp --dport 1194:1195 -j ACCEPT
--A INPUT -p udp -m udp --sport 1194:1195 -j ACCEPT
+# 1198 is another vpn port, simpler syntax just to use range
+-A OUTPUT -p udp -m udp --dport 1194:1198 -j ACCEPT
+-A INPUT -p udp -m udp --sport 1194:1198 -j ACCEPT
 
 -A OUTPUT -o tun0 -j ACCEPT
 -A INPUT -i tun0 -j ACCEPT
+
+# makes debugging things easier
+-A INPUT -p icmp -j ACCEPT
+-A OUTPUT -p icmp -j ACCEPT
 COMMIT