]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/shorewall.nix
nftables: only use unbound for DNS resolving
[sourcephile-nix.git] / servers / mermet / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.users) users;
6 inherit (config.services) shorewall shorewall6;
7 fw2net = ''
8 # By protocol
9 Ping(ACCEPT) $FW net
10
11 # By port
12 DNS(ACCEPT) $FW net {user=${users.unbound.name}}
13 Git(ACCEPT) $FW net
14 HKP(ACCEPT) $FW net {user=${users.julm.name}}
15 HTTP(ACCEPT) $FW net
16 HTTPS(ACCEPT) $FW net
17 IRCS(ACCEPT) $FW net {user=${users.julm.name}}
18 NTP(ACCEPT) $FW net {user=${users.systemd-timesync.name}}
19 NNTP(ACCEPT) $FW net {user=${users.julm.name}}
20 NNTPS(ACCEPT) $FW net {user=${users.julm.name}}
21 SMTP(ACCEPT) $FW net
22 SMTPS(ACCEPT) $FW net
23 SSH(ACCEPT) $FW net
24 '';
25 net2fw = ''
26 # By protocol
27 Ping(ACCEPT) net $FW
28
29 # By port
30 DNS(ACCEPT) net $FW
31 Git(ACCEPT) net $FW
32 HTTP(ACCEPT) net $FW
33 HTTPS(ACCEPT) net $FW
34 IMAPS(ACCEPT) net $FW
35 Mosh(ACCEPT) net $FW
36 ACCEPT net $FW {proto=tcp, dport=8080}
37 NNTPS(ACCEPT) net $FW
38 POP3S(ACCEPT) net $FW
39 SMTP(ACCEPT) net $FW
40 SMTPS(ACCEPT) net $FW
41 SSH(ACCEPT) net $FW {rate=s:1/min:10}
42 Sieve(ACCEPT) net $FW
43 '';
44 fw2lan = ''
45 Ping(ACCEPT) $FW lan
46 DNS(ACCEPT) $FW lan
47 HTTPS(ACCEPT) $FW lan
48 '';
49 lan2fw = ''
50 Ping(ACCEPT) lan $FW
51 SSH(ACCEPT) lan $FW
52 HTTP(ACCEPT) lan $FW
53 HTTPS(ACCEPT) lan $FW
54 DNS(ACCEPT) lan $FW
55 '';
56 macros = {
57 "macro.Git" = ''
58 ?FORMAT 2
59 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
60 # PORT(S) PORT(S) LIMIT GROUP
61 PARAM - - tcp 9418
62 '';
63 "macro.IRCS" = ''
64 ?FORMAT 2
65 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
66 # PORT(S) PORT(S) LIMIT GROUP
67 PARAM - - tcp 6697
68 '';
69 "macro.Mosh" = ''
70 ?FORMAT 2
71 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
72 # PORT(S) PORT(S) LIMIT GROUP
73 PARAM - - udp 60000-61000
74 '';
75 };
76 in
77 {
78 services.shorewall = {
79 enable = true;
80 configs = macros // {
81 "shorewall.conf" = ''
82 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
83 #
84 ## Custom config
85 ###
86 STARTUP_ENABLED=Yes
87 ZONE2ZONE=2
88 '';
89 zones = ''
90 # DOC: shorewall-zones(5)
91 fw firewall
92 net ipv4
93 lan ipv4
94 unused ipv4
95 '';
96 interfaces = ''
97 # DOC: shorewall-interfaces(5)
98 ?FORMAT 2
99 net enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags
100 lan enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags
101 unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags
102 '';
103 policy = ''
104 # DOC: shorewall-policy(5)
105 $FW all DROP
106 lan all DROP none
107 net all DROP none
108 unused all DROP none
109 # WARNING: the following policy must be last
110 all all REJECT none
111 '';
112 rules = lib.mkBefore ''
113 # DOC: shorewall-rules(5)
114 #SECTION ALL
115 #SECTION ESTABLISHED
116 #SECTION RELATED
117 ?SECTION NEW
118
119 ${fw2net}
120 ${net2fw}
121
122 ${fw2lan}
123 ${lan2fw}
124 '';
125 };
126 };
127 services.shorewall6 = {
128 enable = true;
129 configs = macros // {
130 "shorewall6.conf" = ''
131 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
132 #
133 ## Custom config
134 ###
135 STARTUP_ENABLED=Yes
136 ZONE2ZONE=2
137 '';
138 zones = ''
139 # DOC: shorewall-zones(5)
140 fw firewall
141 net ipv6
142 lan ipv6
143 unused ipv6
144 '';
145 interfaces = ''
146 # DOC: shorewall-interfaces(5)
147 ?FORMAT 2
148 net enp1s0 nosmurfs,tcpflags
149 lan enp2s0 nosmurfs,tcpflags
150 unused enp3s0 nosmurfs,tcpflags
151 '';
152 policy = ''
153 # DOC: shorewall-policy(5)
154 $FW all DROP
155 lan all DROP none
156 net all DROP none
157 unused all DROP none
158 # WARNING: the following policy must be last
159 all all REJECT none
160 '';
161 rules = lib.mkBefore ''
162 # DOC: shorewall-rules(5)
163 #SECTION ALL
164 #SECTION ESTABLISHED
165 #SECTION RELATED
166 ?SECTION NEW
167
168 ${fw2net}
169 ${net2fw}
170
171 ${fw2lan}
172 ${lan2fw}
173 '';
174 };
175 };
176 }