#!/usr/sbin/nft -f # Generated by edgeguard-api — DO NOT EDIT. # Source: internal/firewall/firewall.go (template: ruleset.nft.tpl). # Re-generate via `edgeguard-ctl render-config`. flush ruleset table inet edgeguard { set peer_ipv4 { type ipv4_addr; flags interval {{- if .PeerIPv4}} elements = { {{range $i, $ip := .PeerIPv4}}{{if $i}}, {{end}}{{$ip}}{{end}} } {{- end}} } set peer_ipv6 { type ipv6_addr; flags interval {{- if .PeerIPv6}} elements = { {{range $i, $ip := .PeerIPv6}}{{if $i}}, {{end}}{{$ip}}{{end}} } {{- end}} } chain input { type filter hook input priority 0; policy drop; # Stateful baseline ct state established,related accept ct state invalid drop iif lo accept # ICMP — keep PMTUD and basic diagnostics ip protocol icmp icmp type { echo-request, destination-unreachable, time-exceeded, parameter-problem } accept ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept # SSH — rate-limit to keep brute-force out of the auth log tcp dport 22 ct state new limit rate 10/minute accept tcp dport 22 drop # Public ingress: HAProxy terminates TLS on :443 and serves :80 tcp dport { 80, 443 } accept # Cluster-internal: peers reach edgeguard-api over mTLS on :8443 tcp dport 8443 ip saddr @peer_ipv4 accept tcp dport 8443 ip6 saddr @peer_ipv6 accept {{- range .CustomRulesInput}} # {{.Comment}} {{.MatchExpr}} {{.Action}} {{- end}} } chain forward { type filter hook forward priority 0; policy drop; ct state established,related accept ct state invalid drop {{- range .CustomRulesForward}} # {{.Comment}} {{.MatchExpr}} {{.Action}} {{- end}} } chain output { type filter hook output priority 0; policy accept; {{- range .CustomRulesOutput}} # {{.Comment}} {{.MatchExpr}} {{.Action}} {{- end}} } }