]> Git — Sourcephile - sourcephile-nix.git/blob - servers/losurdo/production/shorewall.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
shorewall: allow Whois queries
[sourcephile-nix.git] / servers / losurdo / production / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.users) users;
6 inherit (config.services) shorewall shorewall6;
7 fw2net = ''
8 # By protocol
9 Ping(ACCEPT) $FW net
10
11 # By port
12 DNS(ACCEPT) $FW net {user=${users.unbound.name}}
13 Git(ACCEPT) $FW net
14 HKP(ACCEPT) $FW net {user=${users.julm.name}}
15 HTTP(ACCEPT) $FW net
16 HTTPS(ACCEPT) $FW net
17 ACCEPT $FW net {proto=tcp, dport=8080}
18 IRCS(ACCEPT) $FW net {user=${users.julm.name}}
19 NTP(ACCEPT) $FW net {user=${users.systemd-timesync.name}}
20 SMTP(ACCEPT) $FW net
21 SMTPS(ACCEPT) $FW net
22 SSH(ACCEPT) $FW net
23 Whois(ACCEPT) $FW net
24 '';
25 net2fw = ''
26 # By protocol
27 Ping(ACCEPT) net $FW
28
29 # By port
30 DNS(ACCEPT) net $FW
31 HTTP(ACCEPT) net $FW
32 HTTPS(ACCEPT) net $FW
33 IMAPS(ACCEPT) net $FW
34 Mosh(ACCEPT) net $FW
35 POP3S(ACCEPT) net $FW
36 SMTP(ACCEPT) net $FW
37 SMTPS(ACCEPT) net $FW
38 SSH(ACCEPT) net $FW {rate=s:1/min:10}
39 Sieve(ACCEPT) net $FW
40 '';
41 macros = {
42 "macro.Git" = ''
43 ?FORMAT 2
44 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
45 # PORT(S) PORT(S) LIMIT GROUP
46 PARAM - - tcp 9418
47 '';
48 "macro.IRCS" = ''
49 ?FORMAT 2
50 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
51 # PORT(S) PORT(S) LIMIT GROUP
52 PARAM - - tcp 6697
53 '';
54 "macro.Mosh" = ''
55 ?FORMAT 2
56 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
57 # PORT(S) PORT(S) LIMIT GROUP
58 PARAM - - udp 60000-61000
59 '';
60 };
61 in
62 {
63 services.shorewall = {
64 enable = true;
65 configs = macros // {
66 "shorewall.conf" = ''
67 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
68 #
69 ## Custom config
70 ###
71 STARTUP_ENABLED=Yes
72 ZONE2ZONE=2
73 '';
74 zones = ''
75 # DOC: shorewall-zones(5)
76 fw firewall
77 net ipv4
78 wet ipv4
79 '';
80 interfaces = ''
81 # DOC: shorewall-interfaces(5)
82 ?FORMAT 2
83 net enp5s0 arp_filter,nosmurfs,routefilter=1,tcpflags
84 wet wlp4s0 arp_filter,nosmurfs,routefilter=1,tcpflags
85 '';
86 policy = ''
87 # DOC: shorewall-policy(5)
88 $FW all DROP
89 net all DROP none
90 wet all DROP none
91 # WARNING: the following policy must be last
92 all all REJECT none
93 '';
94 rules = ''
95 # DOC: shorewall-rules(5)
96 #SECTION ALL
97 #SECTION ESTABLISHED
98 #SECTION RELATED
99 ?SECTION NEW
100
101 ${fw2net}
102 ${net2fw}
103 '';
104 };
105 };
106 services.shorewall6 = {
107 enable = true;
108 configs = macros // {
109 "shorewall6.conf" = ''
110 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
111 #
112 ## Custom config
113 ###
114 STARTUP_ENABLED=Yes
115 ZONE2ZONE=2
116 '';
117 zones = ''
118 # DOC: shorewall-zones(5)
119 fw firewall
120 net ipv6
121 wet ipv6
122 '';
123 interfaces = ''
124 # DOC: shorewall-interfaces(5)
125 ?FORMAT 2
126 net enp5s0 nosmurfs,tcpflags
127 wet wlp4s0 nosmurfs,tcpflags
128 '';
129 policy = ''
130 # DOC: shorewall-policy(5)
131 $FW all DROP
132 net all DROP none
133 wet all DROP none
134 # WARNING: the following policy must be last
135 all all REJECT none
136 '';
137 rules = ''
138 # DOC: shorewall-rules(5)
139 #SECTION ALL
140 #SECTION ESTABLISHED
141 #SECTION RELATED
142 ?SECTION NEW
143
144 ${fw2net}
145 ${net2fw}
146 '';
147 };
148 };
149 }
NixOS configurations for Sourcephile's infrastructure