1 { pkgs, lib, config, ... }:
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.users) users;
6 inherit (config.services) shorewall shorewall6;
12 DNS(ACCEPT) $FW net {user=${users.unbound.name}}
13 DNS(ACCEPT) $FW net:217.70.177.40 # for knot to notify ns6.gandi.net
14 DNS(ACCEPT) $FW net:78.192.65.63 # for knot to notify ns0.muarf.org
16 HKP(ACCEPT) $FW net {user=${users.julm.name}}
19 IRCS(ACCEPT) $FW net {user=${users.julm.name}}
20 NTP(ACCEPT) $FW net {user=${users.systemd-timesync.name}}
21 NNTP(ACCEPT) $FW net {user=${users.julm.name}}
22 NNTPS(ACCEPT) $FW net {user=${users.julm.name}}
38 ACCEPT net $FW {proto=tcp, dport=8080}
43 SSH(ACCEPT) net $FW {rate=s:1/min:10}
61 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
62 # PORT(S) PORT(S) LIMIT GROUP
67 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
68 # PORT(S) PORT(S) LIMIT GROUP
73 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
74 # PORT(S) PORT(S) LIMIT GROUP
75 PARAM - - udp 60000-61000
80 services.shorewall = {
84 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
92 # DOC: shorewall-zones(5)
99 # DOC: shorewall-interfaces(5)
101 net enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags
102 lan enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags
103 unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags
106 # DOC: shorewall-policy(5)
111 # WARNING: the following policy must be last
115 # DOC: shorewall-rules(5)
129 services.shorewall6 = {
131 configs = macros // {
132 "shorewall6.conf" = ''
133 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
141 # DOC: shorewall-zones(5)
148 # DOC: shorewall-interfaces(5)
150 net enp1s0 nosmurfs,tcpflags
151 lan enp2s0 nosmurfs,tcpflags
152 unused enp3s0 nosmurfs,tcpflags
155 # DOC: shorewall-policy(5)
160 # WARNING: the following policy must be last
164 # DOC: shorewall-rules(5)