From 3691bae82c364b0d611085cea03b03aea9129adc Mon Sep 17 00:00:00 2001
From: Superredstone <patrickcanal3@gmail.com>
Date: Sat, 21 Mar 2026 23:27:18 +0100
Subject: [PATCH] feat(bomba): improve firewall rules

---
 machines/bomba/networking.nix | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/machines/bomba/networking.nix b/machines/bomba/networking.nix
index be2462d..806c4f4 100644
--- a/machines/bomba/networking.nix
+++ b/machines/bomba/networking.nix
@@ -1,25 +1,26 @@
 { ... }:
+let
+  dockerNetwork = "172.18.0.0/16";
+in
 {
   networking = {
     networkmanager.enable = true;
+    nftables.enable = true;
     firewall = {
+      enable = true;
       allowedTCPPorts = [
         22
         80
         443
-        5900
-      ];
-      allowedTCPPortRanges = [
-        {
-          from = 8001;
-          to = 8005;
-        }
       ];
       allowedUDPPorts = [
         80
         443
       ];
-      enable = true;
+      extraInputRules = ''
+        ip saddr ${dockerNetwork} tcp dport 5900 accept
+        ip saddr ${dockerNetwork} tcp dport 8001-8005 accept
+      '';
     };
   };
 }