]> Git — Sourcephile - sourcephile-nix.git/blob - install/logical/machine1/shorewall.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
init
[sourcephile-nix.git] / install / logical / machine1 / shorewall.nix
1 {pkgs, lib, config, ...}:
2 let inherit (config.services) shorewall shorewall6;
3 when = x: y: if x == null then "" else y;
4 in
5 {
6 config = {
7 services.shorewall = {
8 enable = true;
9 configs = {
10 "shorewall.conf" = ''
11 ${builtins.readFile "${shorewall.package}/etc/shorewall/shorewall.conf"}
12 #
13 ## Custom config
14 ###
15 STARTUP_ENABLED=Yes
16 ZONE2ZONE=2
17 '';
18 zones = ''
19 # DOC: shorewall-zones(5)
20 fw firewall
21 ${when config.networking.net "net ipv4"}
22 ${when config.networking.lan "lan ipv4"}
23 '';
24 interfaces = ''
25 # DOC: shorewall-interfaces(5)
26 ?FORMAT 2
27 ${when config.networking.net "net ${config.networking.net.iface} arp_filter,nosmurfs,routefilter,tcpflags"}
28 ${when config.networking.lan "lan ${config.networking.lan.iface} arp_filter,nosmurfs,routefilter,tcpflags"}
29 '';
30 policy = ''
31 # DOC: shorewall-policy(5)
32 $FW all DROP
33 ${when config.networking.net "net all DROP none"}
34 ${when config.networking.lan "lan all DROP none"}
35 # XXX: the following policy must be last
36 all all REJECT none
37 '';
38 rules = ''
39 # DOC: shorewall-rules(5)
40 #SECTION ALL
41 #SECTION ESTABLISHED
42 #SECTION RELATED
43 ?SECTION NEW
44 ''
45 + when config.networking.lan ''
46 # ----------
47 # $FW -> lan
48 # ----------
49 ACCEPT $FW lan:${config.networking.lan.ipv4}/24
50
51 # ----------
52 # lan -> $FW
53 # ----------
54 ACCEPT lan:${config.networking.lan.ipv4}/24 $FW
55 ''
56 + when config.networking.net ''
57 # ----------
58 # $FW -> net
59 # ----------
60
61 # By protocol
62 Ping(ACCEPT) $FW net
63
64 # By port
65 DNS(ACCEPT) $FW net
66 Git(ACCEPT) $FW net
67 HTTP(ACCEPT) $FW net
68 HTTPS(ACCEPT) $FW net
69 SMTP(ACCEPT) $FW net
70 SMTPS(ACCEPT) $FW net
71 SSH(ACCEPT) $FW net
72
73 # ----------
74 # net -> $FW
75 # ----------
76
77 # By protocol
78 Ping(ACCEPT) net $FW
79
80 # By port
81 #HTTPS(ACCEPT) net $FW
82 DNS(ACCEPT) net $FW
83 IMAPS(ACCEPT) net $FW
84 POP3S(ACCEPT) net $FW
85 SMTP(ACCEPT) net $FW
86 SMTPS(ACCEPT) net $FW
87 '';
88 "macro.Git" = ''
89 ?FORMAT 2
90 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
91 # PORT(S) PORT(S) LIMIT GROUP
92 PARAM - - tcp 9418
93 '';
94 };
95 };
96 services.shorewall6 = {
97 enable = true;
98 configs = {
99 "shorewall6.conf" = ''
100 ${builtins.readFile "${shorewall6.package}/etc/shorewall6/shorewall6.conf"}
101 #
102 ## Custom config
103 ###
104 STARTUP_ENABLED=Yes
105 ZONE2ZONE=2
106 '';
107 zones = ''
108 # DOC: shorewall-zones(5)
109 fw firewall
110 ${when config.networking.net "net ipv6"}
111 ${when config.networking.lan "lan ipv6"}
112 '';
113 interfaces = ''
114 # DOC: shorewall-interfaces(5)
115 ?FORMAT 2
116 ${when config.networking.net "net ${config.networking.net.iface} nosmurfs,tcpflags"}
117 ${when config.networking.lan "lan ${config.networking.lan.iface} nosmurfs,tcpflags"}
118 '';
119 policy = ''
120 # DOC: shorewall-policy(5)
121 $FW all DROP
122 ${when config.networking.net "net all DROP none"}
123 ${when config.networking.lan "lan all DROP none"}
124 # XXX: the following policy must be last
125 all all REJECT none
126 '';
127 rules = ''
128 # DOC: shorewall-rules(5)
129 #SECTION ALL
130 #SECTION ESTABLISHED
131 #SECTION RELATED
132 ?SECTION NEW
133 ''
134 + when config.networking.lan ''
135 # ----------
136 # $FW -> lan
137 # ----------
138 Ping(ACCEPT) $FW lan:fe80::/10
139
140 # ----------
141 # lan -> $FW
142 # ----------
143 Ping(ACCEPT) lan:fe80::/10 $FW
144 '';
145 };
146 };
147 };
148 }
NixOS configurations for Sourcephile's infrastructure