]> Git — Sourcephile - sourcephile-nix.git/blob - install/logical/spof/shorewall.nix
update
[sourcephile-nix.git] / install / logical / spof / shorewall.nix
1 {pkgs, lib, config, ...}:
2 let inherit (builtins) hasAttr;
3 inherit (config.services) shorewall shorewall6;
4 unlines = lib.concatStringsSep "\n";
5 zones4 = config.networking.zones;
6 zones6 = config.networking.zones;
7 in
8 {
9 config = {
10 services.shorewall = {
11 enable = true;
12 configs = {
13 "shorewall.conf" = ''
14 ${builtins.readFile "${shorewall.package}/etc/shorewall/shorewall.conf"}
15 #
16 ## Custom config
17 ###
18 STARTUP_ENABLED=Yes
19 ZONE2ZONE=2
20 '';
21 zones = ''
22 # DOC: shorewall-zones(5)
23 fw firewall
24 '' + unlines (lib.mapAttrsToList (zone: _: "${zone} ipv4") zones4);
25 interfaces = ''
26 # DOC: shorewall-interfaces(5)
27 ?FORMAT 2
28 '' + unlines (lib.mapAttrsToList (zone: {iface, ...}:
29 "${zone} ${iface} arp_filter,nosmurfs,routefilter,tcpflags") zones4);
30 policy = ''
31 # DOC: shorewall-policy(5)
32 $FW all DROP
33 '' + unlines (lib.mapAttrsToList (zone: _:
34 "${zone} all DROP none") zones4)
35 + ''
36 # XXX: the following policy must be last
37 all all REJECT none
38 '';
39 rules = ''
40 # DOC: shorewall-rules(5)
41 #SECTION ALL
42 #SECTION ESTABLISHED
43 #SECTION RELATED
44 ?SECTION NEW
45 ''
46 + lib.optionalString (hasAttr "lan" zones4) ''
47 # ----------
48 # $FW -> lan
49 # ----------
50 ACCEPT $FW lan:${config.networking.zones.lan.ipv4}/24
51
52 # ----------
53 # lan -> $FW
54 # ----------
55 ACCEPT lan:${config.networking.zones.lan.ipv4}/24 $FW
56 ''
57 + lib.optionalString (hasAttr "net" zones4) ''
58 # ----------
59 # $FW -> net
60 # ----------
61
62 # By protocol
63 Ping(ACCEPT) $FW net
64
65 # By port
66 DNS(ACCEPT) $FW net
67 Git(ACCEPT) $FW net
68 HTTP(ACCEPT) $FW net
69 HTTPS(ACCEPT) $FW net
70 SMTP(ACCEPT) $FW net
71 SMTPS(ACCEPT) $FW net
72 SSH(ACCEPT) $FW net
73
74 # ----------
75 # net -> $FW
76 # ----------
77
78 # By protocol
79 Ping(ACCEPT) net $FW
80
81 # By port
82 #HTTPS(ACCEPT) net $FW
83 DNS(ACCEPT) net $FW
84 IMAPS(ACCEPT) net $FW
85 POP3S(ACCEPT) net $FW
86 SMTP(ACCEPT) net $FW
87 SMTPS(ACCEPT) net $FW
88 '';
89 "macro.Git" = ''
90 ?FORMAT 2
91 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
92 # PORT(S) PORT(S) LIMIT GROUP
93 PARAM - - tcp 9418
94 '';
95 };
96 };
97 services.shorewall6 = {
98 enable = true;
99 configs = {
100 "shorewall6.conf" = ''
101 ${builtins.readFile "${shorewall6.package}/etc/shorewall6/shorewall6.conf"}
102 #
103 ## Custom config
104 ###
105 STARTUP_ENABLED=Yes
106 ZONE2ZONE=2
107 '';
108 zones = ''
109 # DOC: shorewall-zones(5)
110 fw firewall
111 '' + unlines (lib.mapAttrsToList (zone: _: "${zone} ipv6") zones6);
112 interfaces = ''
113 # DOC: shorewall-interfaces(5)
114 ?FORMAT 2
115 '' + unlines (lib.mapAttrsToList (zone: {iface, ...}:
116 "${zone} ${iface} nosmurfs,tcpflags") zones6);
117 policy = ''
118 # DOC: shorewall-policy(5)
119 $FW all DROP
120 '' + unlines (lib.mapAttrsToList (zone: _:
121 "${zone} all DROP none") zones6)
122 + ''
123 # XXX: the following policy must be last
124 all all REJECT none
125 '';
126 rules = ''
127 # DOC: shorewall-rules(5)
128 #SECTION ALL
129 #SECTION ESTABLISHED
130 #SECTION RELATED
131 ?SECTION NEW
132 ''
133 + lib.optionalString (hasAttr "lan" zones6) ''
134 # ----------
135 # $FW -> lan
136 # ----------
137 Ping(ACCEPT) $FW lan:fe80::/10
138
139 # ----------
140 # lan -> $FW
141 # ----------
142 Ping(ACCEPT) lan:fe80::/10 $FW
143 '';
144 };
145 };
146 };
147 }