]> Git — Sourcephile - sourcephile-nix.git/blob - servers/losurdo/production/shorewall.nix
losurdo: move everything from the SD card to the NVMe
[sourcephile-nix.git] / servers / losurdo / production / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config) users;
6 inherit (config.services) shorewall shorewall6;
7 fw2net = ''
8 # By protocol
9 Ping(ACCEPT) $FW net
10
11 # By port
12 DNS(ACCEPT) $FW net {user=${users.users.unbound.name}}
13 Git(ACCEPT) $FW net
14 HKP(ACCEPT) $FW net {user=${users.users.julm.name}}
15 HTTP(ACCEPT) $FW net
16 HTTPS(ACCEPT) $FW net
17 IRCS(ACCEPT) $FW net {user=${users.users.julm.name}}
18 SMTP(ACCEPT) $FW net
19 SMTPS(ACCEPT) $FW net
20 SSH(ACCEPT) $FW net
21 '';
22 net2fw = ''
23 # By protocol
24 Ping(ACCEPT) net $FW
25
26 # By port
27 DNS(ACCEPT) net $FW
28 HTTP(ACCEPT) net $FW
29 HTTPS(ACCEPT) net $FW
30 IMAPS(ACCEPT) net $FW
31 Mosh(ACCEPT) net $FW
32 POP3S(ACCEPT) net $FW
33 SMTP(ACCEPT) net $FW
34 SMTPS(ACCEPT) net $FW
35 SSH(ACCEPT) net $FW {rate=s:1/min:10}
36 Sieve(ACCEPT) net $FW
37 '';
38 macros = {
39 "macro.Git" = ''
40 ?FORMAT 2
41 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
42 # PORT(S) PORT(S) LIMIT GROUP
43 PARAM - - tcp 9418
44 '';
45 "macro.IRCS" = ''
46 ?FORMAT 2
47 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
48 # PORT(S) PORT(S) LIMIT GROUP
49 PARAM - - tcp 6697
50 '';
51 "macro.Mosh" = ''
52 ?FORMAT 2
53 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
54 # PORT(S) PORT(S) LIMIT GROUP
55 PARAM - - udp 60000-61000
56 '';
57 };
58 in
59 {
60 services.shorewall = {
61 enable = true;
62 configs = macros // {
63 "shorewall.conf" = ''
64 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
65 #
66 ## Custom config
67 ###
68 STARTUP_ENABLED=Yes
69 ZONE2ZONE=2
70 '';
71 zones = ''
72 # DOC: shorewall-zones(5)
73 fw firewall
74 net ipv4
75 wet ipv4
76 '';
77 interfaces = ''
78 # DOC: shorewall-interfaces(5)
79 ?FORMAT 2
80 net enp5s0 arp_filter,nosmurfs,routefilter=1,tcpflags
81 wet wlp4s0 arp_filter,nosmurfs,routefilter=1,tcpflags
82 '';
83 policy = ''
84 # DOC: shorewall-policy(5)
85 $FW all DROP
86 net all DROP none
87 wet all DROP none
88 # WARNING: the following policy must be last
89 all all REJECT none
90 '';
91 rules = ''
92 # DOC: shorewall-rules(5)
93 #SECTION ALL
94 #SECTION ESTABLISHED
95 #SECTION RELATED
96 ?SECTION NEW
97
98 ${fw2net}
99 ${net2fw}
100 '';
101 };
102 };
103 services.shorewall6 = {
104 enable = true;
105 configs = macros // {
106 "shorewall6.conf" = ''
107 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
108 #
109 ## Custom config
110 ###
111 STARTUP_ENABLED=Yes
112 ZONE2ZONE=2
113 '';
114 zones = ''
115 # DOC: shorewall-zones(5)
116 fw firewall
117 net ipv6
118 wet ipv6
119 '';
120 interfaces = ''
121 # DOC: shorewall-interfaces(5)
122 ?FORMAT 2
123 net enp5s0 nosmurfs,tcpflags
124 wet wlp4s0 nosmurfs,tcpflags
125 '';
126 policy = ''
127 # DOC: shorewall-policy(5)
128 $FW all DROP
129 net all DROP none
130 wet all DROP none
131 # WARNING: the following policy must be last
132 all all REJECT none
133 '';
134 rules = ''
135 # DOC: shorewall-rules(5)
136 #SECTION ALL
137 #SECTION ESTABLISHED
138 #SECTION RELATED
139 ?SECTION NEW
140
141 ${fw2net}
142 ${net2fw}
143 '';
144 };
145 };
146 }