]> Git — Sourcephile - sourcephile-nix.git/blob - servers/losurdo/production/shorewall.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nix: add members/*.nix
[sourcephile-nix.git] / servers / losurdo / production / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.users) users groups;
6 inherit (config.services) shorewall shorewall6 transmission;
7 fw2net = ''
8 # By protocol
9 Ping(ACCEPT) $FW net
10
11 # By port
12 DNS(ACCEPT) $FW net {user=${users.unbound.name}}
13 Git(ACCEPT) $FW net
14 HKP(ACCEPT) $FW net {user=${users.julm.name}}
15 HTTP(ACCEPT) $FW net
16 HTTPS(ACCEPT) $FW net
17 ACCEPT $FW net {proto=tcp, dport=8080}
18 IRCS(ACCEPT) $FW net {user=${users.julm.name}}
19 NTP(ACCEPT) $FW net {user=${users.systemd-timesync.name}}
20 SMTP(ACCEPT) $FW net
21 SMTPS(ACCEPT) $FW net
22 SSH(ACCEPT) $FW net
23 Whois(ACCEPT) $FW net
24 '';
25 net2fw = ''
26 # By protocol
27 Ping(ACCEPT) net $FW
28
29 # By port
30 DNS(ACCEPT) net $FW
31 HTTP(ACCEPT) net $FW
32 HTTPS(ACCEPT) net $FW
33 IMAPS(ACCEPT) net $FW
34 Mosh(ACCEPT) net $FW
35 POP3S(ACCEPT) net $FW
36 SMTP(ACCEPT) net $FW
37 SMTPS(ACCEPT) net $FW
38 SSH(ACCEPT) net $FW {rate=s:1/min:10}
39 ACCEPT net $FW {proto=tcp, dport=2222}
40 Sieve(ACCEPT) net $FW
41 '';
42 macros = {
43 "macro.Git" = ''
44 ?FORMAT 2
45 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
46 # PORT(S) PORT(S) LIMIT GROUP
47 PARAM - - tcp 9418
48 '';
49 "macro.IRCS" = ''
50 ?FORMAT 2
51 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
52 # PORT(S) PORT(S) LIMIT GROUP
53 PARAM - - tcp 6697
54 '';
55 "macro.Mosh" = ''
56 ?FORMAT 2
57 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
58 # PORT(S) PORT(S) LIMIT GROUP
59 PARAM - - udp 60000-61000
60 '';
61 };
62 in
63 {
64 services.shorewall = {
65 enable = true;
66 configs = macros // {
67 "shorewall.conf" = ''
68 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
69 #
70 ## Custom config
71 ###
72 STARTUP_ENABLED=Yes
73 ZONE2ZONE=2
74 '';
75 zones = ''
76 # DOC: shorewall-zones(5)
77 fw firewall
78 net ipv4
79 wet ipv4
80 '';
81 interfaces = ''
82 # DOC: shorewall-interfaces(5)
83 ?FORMAT 2
84 net enp5s0 arp_filter,nosmurfs,routefilter=1,tcpflags,upnpclient
85 wet wlp4s0 arp_filter,nosmurfs,routefilter=1,tcpflags
86 '';
87 policy = ''
88 # DOC: shorewall-policy(5)
89 $FW all DROP
90 net all DROP none
91 wet all DROP none
92 # WARNING: the following policy must be last
93 all all REJECT none
94 '';
95 rules = ''
96 # DOC: shorewall-rules(5)
97 #SECTION ALL
98 #SECTION ESTABLISHED
99 #SECTION RELATED
100 ?SECTION NEW
101
102 ${fw2net}
103 ACCEPT $FW net:192.168.0.0/16
104 ACCEPT $FW net:224.0.0.0/4 udp 1900 # UPnP
105 ACCEPT $FW net udp {user=${users.transmission.name}} # BitTorrent
106 ${net2fw}
107 ACCEPT net $FW tcp ${toString transmission.settings.peer-port} # BitTorrent
108 ACCEPT net $FW udp ${toString transmission.settings.peer-port} # BitTorrent
109 '';
110 };
111 };
112 services.shorewall6 = {
113 enable = true;
114 configs = macros // {
115 "shorewall6.conf" = ''
116 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
117 #
118 ## Custom config
119 ###
120 STARTUP_ENABLED=Yes
121 ZONE2ZONE=2
122 '';
123 zones = ''
124 # DOC: shorewall-zones(5)
125 fw firewall
126 net ipv6
127 wet ipv6
128 '';
129 interfaces = ''
130 # DOC: shorewall-interfaces(5)
131 ?FORMAT 2
132 net enp5s0 nosmurfs,tcpflags
133 wet wlp4s0 nosmurfs,tcpflags
134 '';
135 policy = ''
136 # DOC: shorewall-policy(5)
137 $FW all DROP
138 net all DROP none
139 wet all DROP none
140 # WARNING: the following policy must be last
141 all all REJECT none
142 '';
143 rules = ''
144 # DOC: shorewall-rules(5)
145 #SECTION ALL
146 #SECTION ESTABLISHED
147 #SECTION RELATED
148 ?SECTION NEW
149
150 ${fw2net}
151 ${net2fw}
152 '';
153 };
154 };
155 }
NixOS configurations for Sourcephile's infrastructure