]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/shorewall.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nsd: failed attempt to reduce its memory footprint
[sourcephile-nix.git] / servers / mermet / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.services) shorewall shorewall6;
6 fw2net = ''
7 # By protocol
8 Ping(ACCEPT) $FW net
9
10 # By port
11 DNS(ACCEPT) $FW net
12 Git(ACCEPT) $FW net
13 HTTP(ACCEPT) $FW net
14 HTTPS(ACCEPT) $FW net
15 SMTP(ACCEPT) $FW net
16 SMTPS(ACCEPT) $FW net
17 SSH(ACCEPT) $FW net
18 '';
19 net2fw = ''
20 # By protocol
21 Ping(ACCEPT) net $FW
22
23 # By port
24 #HTTPS(ACCEPT) net $FW
25 DNS(ACCEPT) net $FW
26 IMAPS(ACCEPT) net $FW
27 POP3S(ACCEPT) net $FW
28 SMTP(ACCEPT) net $FW
29 SMTPS(ACCEPT) net $FW
30 SSH(ACCEPT) net $FW
31 '';
32 fw2lan = ''
33 Ping(ACCEPT) $FW lan
34 DNS(ACCEPT) $FW lan
35 HTTPS(ACCEPT) $FW lan
36 '';
37 lan2fw = ''
38 Ping(ACCEPT) lan $FW
39 SSH(ACCEPT) lan $FW
40 HTTP(ACCEPT) lan $FW
41 DNS(ACCEPT) lan $FW
42 '';
43 macros = {
44 "macro.Git" = ''
45 ?FORMAT 2
46 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
47 # PORT(S) PORT(S) LIMIT GROUP
48 PARAM - - tcp 9418
49 '';
50 };
51 in
52 {
53 services.shorewall = {
54 enable = true;
55 configs = macros // {
56 "shorewall.conf" = ''
57 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
58 #
59 ## Custom config
60 ###
61 STARTUP_ENABLED=Yes
62 ZONE2ZONE=2
63 '';
64 zones = ''
65 # DOC: shorewall-zones(5)
66 fw firewall
67 net ipv4
68 lan ipv4
69 unused ipv4
70 '';
71 interfaces = ''
72 # DOC: shorewall-interfaces(5)
73 ?FORMAT 2
74 net enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags
75 lan enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags,dhcp
76 unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags
77 '';
78 policy = ''
79 # DOC: shorewall-policy(5)
80 $FW all DROP
81 lan all DROP none
82 net all DROP none
83 unused all DROP none
84 # WARNING: the following policy must be last
85 all all REJECT none
86 '';
87 rules = ''
88 # DOC: shorewall-rules(5)
89 #SECTION ALL
90 #SECTION ESTABLISHED
91 #SECTION RELATED
92 ?SECTION NEW
93
94 ${fw2net}
95 ${net2fw}
96
97 ${fw2lan}
98 ${lan2fw}
99 '';
100 };
101 };
102 services.shorewall6 = {
103 enable = true;
104 configs = macros // {
105 "shorewall6.conf" = ''
106 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
107 #
108 ## Custom config
109 ###
110 STARTUP_ENABLED=Yes
111 ZONE2ZONE=2
112 '';
113 zones = ''
114 # DOC: shorewall-zones(5)
115 fw firewall
116 net ipv6
117 lan ipv6
118 unused ipv6
119 '';
120 interfaces = ''
121 # DOC: shorewall-interfaces(5)
122 ?FORMAT 2
123 net enp1s0 nosmurfs,tcpflags
124 lan enp2s0 nosmurfs,tcpflags
125 unused enp3s0 nosmurfs,tcpflags
126 '';
127 policy = ''
128 # DOC: shorewall-policy(5)
129 $FW all DROP
130 lan all DROP none
131 net all DROP none
132 unused all DROP none
133 # WARNING: the following policy must be last
134 all all REJECT none
135 '';
136 rules = ''
137 # DOC: shorewall-rules(5)
138 #SECTION ALL
139 #SECTION ESTABLISHED
140 #SECTION RELATED
141 ?SECTION NEW
142
143 ${fw2net}
144 ${net2fw}
145
146 ${fw2lan}
147 ${lan2fw}
148 '';
149 };
150 };
151 }
NixOS configurations for Sourcephile's infrastructure