1 { pkgs, lib, config, ... }:
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.users) users groups;
6 inherit (config.services) shorewall shorewall6 transmission;
12 DNS(ACCEPT) $FW net {user=${users.unbound.name}}
14 HKP(ACCEPT) $FW net {user=${users.julm.name}}
17 ACCEPT $FW net {proto=tcp, dport=8080}
18 IRCS(ACCEPT) $FW net {user=${users.julm.name}}
19 NTP(ACCEPT) $FW net {user=${users.systemd-timesync.name}}
38 SSH(ACCEPT) net $FW {rate=s:1/min:10}
39 ACCEPT net $FW {proto=tcp, dport=2222}
45 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
46 # PORT(S) PORT(S) LIMIT GROUP
51 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
52 # PORT(S) PORT(S) LIMIT GROUP
57 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
58 # PORT(S) PORT(S) LIMIT GROUP
59 PARAM - - udp 60000-61000
64 services.shorewall = {
68 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
76 # DOC: shorewall-zones(5)
82 # DOC: shorewall-interfaces(5)
84 net enp5s0 arp_filter,nosmurfs,routefilter=1,tcpflags,upnpclient
85 wet wlp4s0 arp_filter,nosmurfs,routefilter=1,tcpflags
88 # DOC: shorewall-policy(5)
92 # WARNING: the following policy must be last
96 # DOC: shorewall-rules(5)
103 ACCEPT $FW net:192.168.0.0/16
104 ACCEPT $FW net:224.0.0.0/4 udp 1900 # UPnP
105 ACCEPT $FW net udp {user=${users.transmission.name}} # BitTorrent
107 ACCEPT net $FW tcp ${toString transmission.settings.peer-port} # BitTorrent
108 ACCEPT net $FW udp ${toString transmission.settings.peer-port} # BitTorrent
112 services.shorewall6 = {
114 configs = macros // {
115 "shorewall6.conf" = ''
116 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
124 # DOC: shorewall-zones(5)
130 # DOC: shorewall-interfaces(5)
132 net enp5s0 nosmurfs,tcpflags
133 wet wlp4s0 nosmurfs,tcpflags
136 # DOC: shorewall-policy(5)
140 # WARNING: the following policy must be last
144 # DOC: shorewall-rules(5)