servers/mermet/system/shorewall.nix

   1 { pkgs, lib, config, ... }:
   2 let inherit (builtins) hasAttr readFile;
   3     inherit (pkgs.lib) unlinesAttrs;
   4     inherit (config.services) shorewall shorewall6;
   5     zones4 = config.networking.zones;
   6     zones6 = config.networking.zones;
   7     "macro.Git" = ''
   8       ?FORMAT 2
   9       #ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
  10       #                               PORT(S) PORT(S) LIMIT   GROUP
  11       PARAM   -       -       tcp     9418
  12     '';
  13 in
  14 {
  15 config = {
  16   services.shorewall = {
  17     enable  = true;
  18     configs = {
  19       "shorewall.conf" = ''
  20         ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
  21         #
  22         ## Custom config
  23         ###
  24         STARTUP_ENABLED=Yes
  25         ZONE2ZONE=2
  26         '';
  27       zones = ''
  28         # DOC: shorewall-zones(5)
  29         fw firewall
  30         '' + unlinesAttrs (zone: _: "${zone} ipv4") zones4;
  31       interfaces = ''
  32         # DOC: shorewall-interfaces(5)
  33         ?FORMAT 2
  34         net    enp1s0 arp_filter,nosmurfs,routefilter,tcpflags
  35         maint  enp2s0 arp_filter,nosmurfs,routefilter,tcpflags,dhcp
  36         unused enp3s0 arp_filter,nosmurfs,routefilter,tcpflags
  37         '';
  38         /* + unlinesAttrs (zone: {iface, ...}:
  39           "${zone} ${iface} arp_filter,nosmurfs,routefilter,tcpflags") zones4
  40         */
  41       policy = ''
  42         # DOC: shorewall-policy(5)
  43         $FW all DROP
  44         '' + unlinesAttrs (zone: _: "${zone} all DROP none") zones4
  45         + ''
  46
  47         # XXX: the following policy must be last
  48         all all REJECT none
  49         '';
  50       rules = ''
  51         # DOC: shorewall-rules(5)
  52         #SECTION ALL
  53         #SECTION ESTABLISHED
  54         #SECTION RELATED
  55         ?SECTION NEW
  56         ''
  57         + lib.optionalString (hasAttr "lan" zones4) ''
  58         # ----------
  59         # $FW -> lan
  60         # ----------
  61         ACCEPT $FW lan:${zones4.lan.ipv4}/24
  62
  63         # ----------
  64         # lan -> $FW
  65         # ----------
  66         ACCEPT lan:${zones4.lan.ipv4}/24 $FW
  67         ''
  68         + lib.optionalString (hasAttr "net" zones4) ''
  69         # ----------
  70         # $FW -> net
  71         # ----------
  72
  73         # By protocol
  74         Ping(ACCEPT) $FW net
  75
  76         # By port
  77         DNS(ACCEPT)   $FW net
  78         Git(ACCEPT)   $FW net
  79         HTTP(ACCEPT)  $FW net
  80         HTTPS(ACCEPT) $FW net
  81         SMTP(ACCEPT)  $FW net
  82         SMTPS(ACCEPT) $FW net
  83         SSH(ACCEPT)   $FW net
  84
  85         # ----------
  86         # net -> $FW
  87         # ----------
  88
  89         # By protocol
  90         Ping(ACCEPT)  net $FW
  91
  92         # By port
  93         #HTTPS(ACCEPT) net $FW
  94         DNS(ACCEPT)    net $FW
  95         IMAPS(ACCEPT)  net $FW
  96         POP3S(ACCEPT)  net $FW
  97         SMTP(ACCEPT)   net $FW
  98         SMTPS(ACCEPT)  net $FW
  99         SSH(ACCEPT)  net $FW
 100         '';
 101       inherit "macro.Git";
 102     };
 103   };
 104   services.shorewall6 = {
 105     enable  = true;
 106     configs = {
 107       "shorewall6.conf" = ''
 108         ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
 109         #
 110         ## Custom config
 111         ###
 112         STARTUP_ENABLED=Yes
 113         ZONE2ZONE=2
 114         '';
 115       zones = ''
 116         # DOC: shorewall-zones(5)
 117         fw firewall
 118         '' + unlinesAttrs (zone: _: "${zone} ipv6") zones6;
 119       interfaces = ''
 120         # DOC: shorewall-interfaces(5)
 121         ?FORMAT 2
 122         '' + unlinesAttrs (zone: {iface, ...}: "${zone} ${iface} nosmurfs,tcpflags") zones6;
 123       policy = ''
 124         # DOC: shorewall-policy(5)
 125         $FW all DROP
 126         '' + unlinesAttrs (zone: _: "${zone} all DROP none") zones6
 127         + ''
 128
 129         # XXX: the following policy must be last
 130         all all REJECT none
 131         '';
 132       rules = ''
 133         # DOC: shorewall-rules(5)
 134         #SECTION ALL
 135         #SECTION ESTABLISHED
 136         #SECTION RELATED
 137         ?SECTION NEW
 138         ''
 139         + lib.optionalString (hasAttr "lan" zones6) ''
 140         # ----------
 141         # $FW -> lan
 142         # ----------
 143         Ping(ACCEPT) $FW lan:fe80::/10
 144
 145         # ----------
 146         # lan -> $FW
 147         # ----------
 148         Ping(ACCEPT) lan:fe80::/10 $FW
 149         SSH(ACCEPT)  lan:fe80::/10 $FW
 150         Git(ACCEPT)  lan:fe80::/10 $FW
 151         '';
 152       inherit "macro.Git";
 153     };
 154   };
 155 };
 156 }