From 6bcdd774ac409e8854be3d2c1b9617c196bed17a Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Fri, 12 Jan 2024 22:31:15 +0100
Subject: [PATCH] enable firewall again replace iptables with nftables disable
 reverse path filtering for all hosts allow port 5353 for host running dnsmasq
 closes #31

---
 nixos/modules/networking/default.nix     | 8 ++++++--
 nixos/modules/networking/dmz/default.nix | 4 ++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/nixos/modules/networking/default.nix b/nixos/modules/networking/default.nix
index 88505bb..de43ae5 100644
--- a/nixos/modules/networking/default.nix
+++ b/nixos/modules/networking/default.nix
@@ -52,8 +52,12 @@ in {
   config = {
     networking = {
       domain = "hyp";
-      # TODO: Enabling the firewall makes connectivity of LAN -> DMZ impossible...
-      firewall.enable = false;
+      firewall = {
+        enable = true;
+        checkReversePath = false;
+      };
+
+      nftables.enable = true;
       useDHCP = false;
     };
 
diff --git a/nixos/modules/networking/dmz/default.nix b/nixos/modules/networking/dmz/default.nix
index b73e5eb..b8314d4 100644
--- a/nixos/modules/networking/dmz/default.nix
+++ b/nixos/modules/networking/dmz/default.nix
@@ -22,8 +22,8 @@ in
 
   config = lib.mkIf cfg.enable {
     networking.firewall = {
-      allowedTCPPorts = [ 53 ];
-      allowedUDPPorts = [ 53 67 ];
+      allowedTCPPorts = [ 53 5353 ];
+      allowedUDPPorts = [ 53 67 5353 ];
     };
 
     services = {