FIREWALL

dnsmasq.conf

@@ -224,6 +224,8 @@ dhcp-range=10.0.0.5,10.0.0.250,255.255.255.0,10m
 # need to be on the same network. The order of the parameters in these
 # do not matter, it's permissible to give name, address and MAC in any
 # order.
+dhcp-host=f0:2f:74:c9:9b:61,dragon,10.0.0.5,12h
+# dhcp-host=????,faceless,10.0.0.10,12h
 
 # Always allocate the host with Ethernet address 11:22:33:44:55:66
 # The IP address 192.168.0.60

firewall-edit.sh

@@ -2,9 +2,19 @@
 
 # TODO: diff with existing before just overwriting what's here in git?
 
-f="$(dirname "$(realpath "$0")")/nftables"
+my_config="$(dirname "$(realpath "$0")")/nftables.conf"
-sudo rm "$f"
+
-printf "flush ruleset\n\n" > "$f"
+# we don't care about existing rules - just use ours, thanks
-sudo nft -s list ruleset >> "$f"
+# sudo nft -s list ruleset >> "$f"
-sudo nvim "$f" && sudo nft -f "$f"
+
-# TODO: should this be sync'd to /etc/nftables.conf
+sudo nvim "$my_config"
+cat "$my_config"
+echo "Do you want to load this config? [y/N]"
+read -r l
+[[ $l == "y" ]] && {
+	printf "flush ruleset\n\n" > "/tmp/nftables.txt"
+	cat "$my_config" >> "/tmp/nftables.conf"
+	sudo nft -f "/tmp/nftables.conf"
+	sudo cp "$my_config" "/etc/nftables.conf"
+	echo "Done loading!"
+}

nftables.conf

@@ -1,5 +1,3 @@
-flush ruleset
-
 table inet filter {
 	chain input {
 		type filter hook input priority filter; policy accept;
@@ -23,6 +21,11 @@ table inet filter {
 		type filter hook output priority filter; policy accept;
 	}
 }
+
+# the following two blocks were generated by restarting systemd-networkd and
+# dumping nftables
+
+# nat ipv4 for lan
 table ip io.systemd.nat {
 	set masq_saddr {
 		type ipv4_addr
@@ -49,6 +52,8 @@ table ip io.systemd.nat {
 		ip saddr @masq_saddr masquerade
 	}
 }
+
+# nat ipv6 for lan (probably unnecessary?)
 table ip6 io.systemd.nat {
 	set masq_saddr {
 		type ipv6_addr