]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/production/shorewall.nix
acme: start unbound before
[sourcephile-nix.git] / servers / mermet / production / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.users) users;
6 inherit (config.services) shorewall shorewall6;
7 fw2net = ''
8 # By protocol
9 Ping(ACCEPT) $FW net
10
11 # By port
12 DNS(ACCEPT) $FW net {user=${users.unbound.name}}
13 DNS(ACCEPT) $FW net:217.70.177.40 # for knot to notify ns6.gandi.net
14 DNS(ACCEPT) $FW net:78.192.65.63 # for knot to notify ns0.muarf.org
15 Git(ACCEPT) $FW net
16 HKP(ACCEPT) $FW net {user=${users.julm.name}}
17 HTTP(ACCEPT) $FW net
18 HTTPS(ACCEPT) $FW net
19 IRCS(ACCEPT) $FW net {user=${users.julm.name}}
20 NTP(ACCEPT) $FW net {user=${users.systemd-timesync.name}}
21 SMTP(ACCEPT) $FW net
22 SMTPS(ACCEPT) $FW net
23 SSH(ACCEPT) $FW net
24 '';
25 net2fw = ''
26 # By protocol
27 Ping(ACCEPT) net $FW
28
29 # By port
30 DNS(ACCEPT) net $FW
31 HTTP(ACCEPT) net $FW
32 HTTPS(ACCEPT) net $FW
33 IMAPS(ACCEPT) net $FW
34 Mosh(ACCEPT) net $FW
35 POP3S(ACCEPT) net $FW
36 SMTP(ACCEPT) net $FW
37 SMTPS(ACCEPT) net $FW
38 SSH(ACCEPT) net $FW {rate=s:1/min:10}
39 Sieve(ACCEPT) net $FW
40 '';
41 fw2lan = ''
42 Ping(ACCEPT) $FW lan
43 DNS(ACCEPT) $FW lan
44 HTTPS(ACCEPT) $FW lan
45 '';
46 lan2fw = ''
47 Ping(ACCEPT) lan $FW
48 SSH(ACCEPT) lan $FW
49 HTTP(ACCEPT) lan $FW
50 HTTPS(ACCEPT) lan $FW
51 DNS(ACCEPT) lan $FW
52 '';
53 macros = {
54 "macro.Git" = ''
55 ?FORMAT 2
56 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
57 # PORT(S) PORT(S) LIMIT GROUP
58 PARAM - - tcp 9418
59 '';
60 "macro.IRCS" = ''
61 ?FORMAT 2
62 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
63 # PORT(S) PORT(S) LIMIT GROUP
64 PARAM - - tcp 6697
65 '';
66 "macro.Mosh" = ''
67 ?FORMAT 2
68 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
69 # PORT(S) PORT(S) LIMIT GROUP
70 PARAM - - udp 60000-61000
71 '';
72 };
73 in
74 {
75 services.shorewall = {
76 enable = true;
77 configs = macros // {
78 "shorewall.conf" = ''
79 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
80 #
81 ## Custom config
82 ###
83 STARTUP_ENABLED=Yes
84 ZONE2ZONE=2
85 '';
86 zones = ''
87 # DOC: shorewall-zones(5)
88 fw firewall
89 net ipv4
90 lan ipv4
91 unused ipv4
92 '';
93 interfaces = ''
94 # DOC: shorewall-interfaces(5)
95 ?FORMAT 2
96 net enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags
97 lan enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags
98 unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags
99 '';
100 policy = ''
101 # DOC: shorewall-policy(5)
102 $FW all DROP
103 lan all DROP none
104 net all DROP none
105 unused all DROP none
106 # WARNING: the following policy must be last
107 all all REJECT none
108 '';
109 rules = ''
110 # DOC: shorewall-rules(5)
111 #SECTION ALL
112 #SECTION ESTABLISHED
113 #SECTION RELATED
114 ?SECTION NEW
115
116 ${fw2net}
117 ${net2fw}
118
119 ${fw2lan}
120 ${lan2fw}
121 '';
122 };
123 };
124 services.shorewall6 = {
125 enable = true;
126 configs = macros // {
127 "shorewall6.conf" = ''
128 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
129 #
130 ## Custom config
131 ###
132 STARTUP_ENABLED=Yes
133 ZONE2ZONE=2
134 '';
135 zones = ''
136 # DOC: shorewall-zones(5)
137 fw firewall
138 net ipv6
139 lan ipv6
140 unused ipv6
141 '';
142 interfaces = ''
143 # DOC: shorewall-interfaces(5)
144 ?FORMAT 2
145 net enp1s0 nosmurfs,tcpflags
146 lan enp2s0 nosmurfs,tcpflags
147 unused enp3s0 nosmurfs,tcpflags
148 '';
149 policy = ''
150 # DOC: shorewall-policy(5)
151 $FW all DROP
152 lan all DROP none
153 net all DROP none
154 unused all DROP none
155 # WARNING: the following policy must be last
156 all all REJECT none
157 '';
158 rules = ''
159 # DOC: shorewall-rules(5)
160 #SECTION ALL
161 #SECTION ESTABLISHED
162 #SECTION RELATED
163 ?SECTION NEW
164
165 ${fw2net}
166 ${net2fw}
167
168 ${fw2lan}
169 ${lan2fw}
170 '';
171 };
172 };
173 }