]> Git — Sourcephile - sourcephile-nix.git/blob - servers/losurdo/production/shorewall.nix
nix: remove upstreamed PR patches
[sourcephile-nix.git] / servers / losurdo / production / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.users) users groups;
6 inherit (config.services) shorewall shorewall6 transmission;
7 fw2net = ''
8 # By protocol
9 Ping(ACCEPT) $FW net
10
11 # By port
12 DNS(ACCEPT) $FW net {user=${users.unbound.name}}
13 Git(ACCEPT) $FW net
14 HKP(ACCEPT) $FW net {user=${users.julm.name}}
15 HTTP(ACCEPT) $FW net
16 HTTPS(ACCEPT) $FW net
17 ACCEPT $FW net {proto=tcp, dport=8080}
18 IRCS(ACCEPT) $FW net {user=${users.julm.name}}
19 NTP(ACCEPT) $FW net {user=${users.systemd-timesync.name}}
20 SMTP(ACCEPT) $FW net
21 SMTPS(ACCEPT) $FW net
22 SSH(ACCEPT) $FW net
23 Whois(ACCEPT) $FW net
24 '';
25 net2fw = ''
26 # By protocol
27 Ping(ACCEPT) net $FW
28
29 # By port
30 DNS(ACCEPT) net $FW
31 HTTP(ACCEPT) net $FW
32 HTTPS(ACCEPT) net $FW
33 IMAPS(ACCEPT) net $FW
34 Mosh(ACCEPT) net $FW
35 POP3S(ACCEPT) net $FW
36 SMTP(ACCEPT) net $FW
37 SMTPS(ACCEPT) net $FW
38 SSH(ACCEPT) net $FW {rate=s:1/min:10}
39 Sieve(ACCEPT) net $FW
40 '';
41 macros = {
42 "macro.Git" = ''
43 ?FORMAT 2
44 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
45 # PORT(S) PORT(S) LIMIT GROUP
46 PARAM - - tcp 9418
47 '';
48 "macro.IRCS" = ''
49 ?FORMAT 2
50 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
51 # PORT(S) PORT(S) LIMIT GROUP
52 PARAM - - tcp 6697
53 '';
54 "macro.Mosh" = ''
55 ?FORMAT 2
56 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
57 # PORT(S) PORT(S) LIMIT GROUP
58 PARAM - - udp 60000-61000
59 '';
60 };
61 in
62 {
63 services.shorewall = {
64 enable = true;
65 configs = macros // {
66 "shorewall.conf" = ''
67 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
68 #
69 ## Custom config
70 ###
71 STARTUP_ENABLED=Yes
72 ZONE2ZONE=2
73 '';
74 zones = ''
75 # DOC: shorewall-zones(5)
76 fw firewall
77 net ipv4
78 wet ipv4
79 '';
80 interfaces = ''
81 # DOC: shorewall-interfaces(5)
82 ?FORMAT 2
83 net enp5s0 arp_filter,nosmurfs,routefilter=1,tcpflags,upnpclient
84 wet wlp4s0 arp_filter,nosmurfs,routefilter=1,tcpflags
85 '';
86 policy = ''
87 # DOC: shorewall-policy(5)
88 $FW all DROP
89 net all DROP none
90 wet all DROP none
91 # WARNING: the following policy must be last
92 all all REJECT none
93 '';
94 rules = ''
95 # DOC: shorewall-rules(5)
96 #SECTION ALL
97 #SECTION ESTABLISHED
98 #SECTION RELATED
99 ?SECTION NEW
100
101 ${fw2net}
102 ACCEPT $FW net:192.168.0.0/16
103 ACCEPT $FW net:224.0.0.0/4 udp 1900 # UPnP
104 ACCEPT $FW net udp {user=${users.transmission.name}} # BitTorrent
105 ${net2fw}
106 ACCEPT net $FW tcp ${toString transmission.settings.peer-port} # BitTorrent
107 ACCEPT net $FW udp ${toString transmission.settings.peer-port} # BitTorrent
108 '';
109 };
110 };
111 services.shorewall6 = {
112 enable = true;
113 configs = macros // {
114 "shorewall6.conf" = ''
115 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
116 #
117 ## Custom config
118 ###
119 STARTUP_ENABLED=Yes
120 ZONE2ZONE=2
121 '';
122 zones = ''
123 # DOC: shorewall-zones(5)
124 fw firewall
125 net ipv6
126 wet ipv6
127 '';
128 interfaces = ''
129 # DOC: shorewall-interfaces(5)
130 ?FORMAT 2
131 net enp5s0 nosmurfs,tcpflags
132 wet wlp4s0 nosmurfs,tcpflags
133 '';
134 policy = ''
135 # DOC: shorewall-policy(5)
136 $FW all DROP
137 net all DROP none
138 wet all DROP none
139 # WARNING: the following policy must be last
140 all all REJECT none
141 '';
142 rules = ''
143 # DOC: shorewall-rules(5)
144 #SECTION ALL
145 #SECTION ESTABLISHED
146 #SECTION RELATED
147 ?SECTION NEW
148
149 ${fw2net}
150 ${net2fw}
151 '';
152 };
153 };
154 }