servers/mermet/production/shorewall.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (builtins) hasAttr readFile;
   4   inherit (pkgs.lib) unlinesAttrs;
   5   inherit (config.users) users;
   6   inherit (config.services) shorewall shorewall6;
   7   fw2net = ''
   8     # By protocol
   9     Ping(ACCEPT)   $FW net
  10
  11     # By port
  12     DNS(ACCEPT)    $FW net {user=${users.unbound.name}}
  13     DNS(ACCEPT)    $FW net:217.70.177.40 # for knot to notify ns6.gandi.net
  14     DNS(ACCEPT)    $FW net:78.192.65.63  # for knot to notify ns0.muarf.org
  15     Git(ACCEPT)    $FW net
  16     HKP(ACCEPT)    $FW net {user=${users.julm.name}}
  17     HTTP(ACCEPT)   $FW net
  18     HTTPS(ACCEPT)  $FW net
  19     IRCS(ACCEPT)   $FW net {user=${users.julm.name}}
  20     NTP(ACCEPT)    $FW net {user=${users.systemd-timesync.name}}
  21     SMTP(ACCEPT)   $FW net
  22     SMTPS(ACCEPT)  $FW net
  23     SSH(ACCEPT)    $FW net
  24   '';
  25   net2fw = ''
  26     # By protocol
  27     Ping(ACCEPT)   net $FW
  28
  29     # By port
  30     DNS(ACCEPT)    net $FW
  31     HTTP(ACCEPT)   net $FW
  32     HTTPS(ACCEPT)  net $FW
  33     IMAPS(ACCEPT)  net $FW
  34     Mosh(ACCEPT)   net $FW
  35     POP3S(ACCEPT)  net $FW
  36     SMTP(ACCEPT)   net $FW
  37     SMTPS(ACCEPT)  net $FW
  38     SSH(ACCEPT)    net $FW {rate=s:1/min:10}
  39     Sieve(ACCEPT)  net $FW
  40   '';
  41   fw2lan = ''
  42     Ping(ACCEPT)   $FW lan
  43     DNS(ACCEPT)    $FW lan
  44     HTTPS(ACCEPT)  $FW lan
  45   '';
  46   lan2fw = ''
  47     Ping(ACCEPT)   lan $FW
  48     SSH(ACCEPT)    lan $FW
  49     HTTP(ACCEPT)   lan $FW
  50     HTTPS(ACCEPT)  lan $FW
  51     DNS(ACCEPT)    lan $FW
  52   '';
  53   macros = {
  54     "macro.Git" = ''
  55       ?FORMAT 2
  56       #ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
  57       #                               PORT(S) PORT(S) LIMIT   GROUP
  58       PARAM   -       -       tcp     9418
  59     '';
  60     "macro.IRCS" = ''
  61       ?FORMAT 2
  62       #ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
  63       #                               PORT(S) PORT(S) LIMIT   GROUP
  64       PARAM   -       -       tcp     6697
  65     '';
  66     "macro.Mosh" = ''
  67       ?FORMAT 2
  68       #ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
  69       #                               PORT(S) PORT(S) LIMIT   GROUP
  70       PARAM   -       -       udp     60000-61000
  71     '';
  72   };
  73 in
  74 {
  75   services.shorewall = {
  76     enable  = true;
  77     configs = macros // {
  78       "shorewall.conf" = ''
  79         ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
  80         #
  81         ## Custom config
  82         ###
  83         STARTUP_ENABLED=Yes
  84         ZONE2ZONE=2
  85       '';
  86       zones = ''
  87         # DOC: shorewall-zones(5)
  88         fw firewall
  89         net    ipv4
  90         lan    ipv4
  91         unused ipv4
  92       '';
  93       interfaces = ''
  94         # DOC: shorewall-interfaces(5)
  95         ?FORMAT 2
  96         net    enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags
  97         lan    enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags
  98         unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags
  99       '';
 100       policy = ''
 101         # DOC: shorewall-policy(5)
 102         $FW    all DROP
 103         lan    all DROP   none
 104         net    all DROP   none
 105         unused all DROP   none
 106         # WARNING: the following policy must be last
 107         all    all REJECT none
 108       '';
 109       rules = ''
 110         # DOC: shorewall-rules(5)
 111         #SECTION ALL
 112         #SECTION ESTABLISHED
 113         #SECTION RELATED
 114         ?SECTION NEW
 115
 116         ${fw2net}
 117         ${net2fw}
 118
 119         ${fw2lan}
 120         ${lan2fw}
 121       '';
 122     };
 123   };
 124   services.shorewall6 = {
 125     enable  = true;
 126     configs = macros // {
 127       "shorewall6.conf" = ''
 128         ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
 129         #
 130         ## Custom config
 131         ###
 132         STARTUP_ENABLED=Yes
 133         ZONE2ZONE=2
 134         '';
 135       zones = ''
 136         # DOC: shorewall-zones(5)
 137         fw firewall
 138         net    ipv6
 139         lan    ipv6
 140         unused ipv6
 141       '';
 142       interfaces = ''
 143         # DOC: shorewall-interfaces(5)
 144         ?FORMAT 2
 145         net    enp1s0 nosmurfs,tcpflags
 146         lan    enp2s0 nosmurfs,tcpflags
 147         unused enp3s0 nosmurfs,tcpflags
 148       '';
 149       policy = ''
 150         # DOC: shorewall-policy(5)
 151         $FW    all DROP
 152         lan    all DROP   none
 153         net    all DROP   none
 154         unused all DROP   none
 155         # WARNING: the following policy must be last
 156         all    all REJECT none
 157       '';
 158       rules = ''
 159         # DOC: shorewall-rules(5)
 160         #SECTION ALL
 161         #SECTION ESTABLISHED
 162         #SECTION RELATED
 163         ?SECTION NEW
 164
 165         ${fw2net}
 166         ${net2fw}
 167
 168         ${fw2lan}
 169         ${lan2fw}
 170       '';
 171     };
 172   };
 173 }