servers/mermet/shorewall.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (builtins) hasAttr readFile;
   4   inherit (pkgs.lib) unlinesAttrs;
   5   inherit (config.users) users;
   6   inherit (config.services) shorewall shorewall6;
   7   fw2net = ''
   8     # By protocol
   9     Ping(ACCEPT)   $FW net
  10
  11     # By port
  12     DNS(ACCEPT)    $FW net {user=${users.unbound.name}}
  13     Git(ACCEPT)    $FW net
  14     HKP(ACCEPT)    $FW net {user=${users.julm.name}}
  15     HTTP(ACCEPT)   $FW net
  16     HTTPS(ACCEPT)  $FW net
  17     IRCS(ACCEPT)   $FW net {user=${users.julm.name}}
  18     NTP(ACCEPT)    $FW net {user=${users.systemd-timesync.name}}
  19     NNTP(ACCEPT)   $FW net {user=${users.julm.name}}
  20     NNTPS(ACCEPT)  $FW net {user=${users.julm.name}}
  21     SMTP(ACCEPT)   $FW net
  22     SMTPS(ACCEPT)  $FW net
  23     SSH(ACCEPT)    $FW net
  24   '';
  25   net2fw = ''
  26     # By protocol
  27     Ping(ACCEPT)   net $FW
  28
  29     # By port
  30     DNS(ACCEPT)    net $FW
  31     Git(ACCEPT)    net $FW
  32     HTTP(ACCEPT)   net $FW
  33     HTTPS(ACCEPT)  net $FW
  34     IMAPS(ACCEPT)  net $FW
  35     Mosh(ACCEPT)   net $FW
  36     ACCEPT         net $FW {proto=tcp, dport=8080}
  37     NNTPS(ACCEPT)  net $FW
  38     POP3S(ACCEPT)  net $FW
  39     SMTP(ACCEPT)   net $FW
  40     SMTPS(ACCEPT)  net $FW
  41     SSH(ACCEPT)    net $FW {rate=s:1/min:10}
  42     Sieve(ACCEPT)  net $FW
  43   '';
  44   fw2lan = ''
  45     Ping(ACCEPT)   $FW lan
  46     DNS(ACCEPT)    $FW lan
  47     HTTPS(ACCEPT)  $FW lan
  48   '';
  49   lan2fw = ''
  50     Ping(ACCEPT)   lan $FW
  51     SSH(ACCEPT)    lan $FW
  52     HTTP(ACCEPT)   lan $FW
  53     HTTPS(ACCEPT)  lan $FW
  54     DNS(ACCEPT)    lan $FW
  55   '';
  56   macros = {
  57     "macro.Git" = ''
  58       ?FORMAT 2
  59       #ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
  60       #                               PORT(S) PORT(S) LIMIT   GROUP
  61       PARAM   -       -       tcp     9418
  62     '';
  63     "macro.IRCS" = ''
  64       ?FORMAT 2
  65       #ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
  66       #                               PORT(S) PORT(S) LIMIT   GROUP
  67       PARAM   -       -       tcp     6697
  68     '';
  69     "macro.Mosh" = ''
  70       ?FORMAT 2
  71       #ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
  72       #                               PORT(S) PORT(S) LIMIT   GROUP
  73       PARAM   -       -       udp     60000-61000
  74     '';
  75   };
  76 in
  77 {
  78 services.shorewall = {
  79   enable  = true;
  80   configs = macros // {
  81     "shorewall.conf" = ''
  82       ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
  83       #
  84       ## Custom config
  85       ###
  86       STARTUP_ENABLED=Yes
  87       ZONE2ZONE=2
  88     '';
  89     zones = ''
  90       # DOC: shorewall-zones(5)
  91       fw firewall
  92       net    ipv4
  93       lan    ipv4
  94       unused ipv4
  95     '';
  96     interfaces = ''
  97       # DOC: shorewall-interfaces(5)
  98       ?FORMAT 2
  99       net    enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags
 100       lan    enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags
 101       unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags
 102     '';
 103     policy = ''
 104       # DOC: shorewall-policy(5)
 105       $FW    all DROP
 106       lan    all DROP   none
 107       net    all DROP   none
 108       unused all DROP   none
 109       # WARNING: the following policy must be last
 110       all    all REJECT none
 111     '';
 112     rules = lib.mkBefore ''
 113       # DOC: shorewall-rules(5)
 114       #SECTION ALL
 115       #SECTION ESTABLISHED
 116       #SECTION RELATED
 117       ?SECTION NEW
 118
 119       ${fw2net}
 120       ${net2fw}
 121
 122       ${fw2lan}
 123       ${lan2fw}
 124     '';
 125   };
 126 };
 127 services.shorewall6 = {
 128   enable  = true;
 129   configs = macros // {
 130     "shorewall6.conf" = ''
 131       ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
 132       #
 133       ## Custom config
 134       ###
 135       STARTUP_ENABLED=Yes
 136       ZONE2ZONE=2
 137       '';
 138     zones = ''
 139       # DOC: shorewall-zones(5)
 140       fw firewall
 141       net    ipv6
 142       lan    ipv6
 143       unused ipv6
 144     '';
 145     interfaces = ''
 146       # DOC: shorewall-interfaces(5)
 147       ?FORMAT 2
 148       net    enp1s0 nosmurfs,tcpflags
 149       lan    enp2s0 nosmurfs,tcpflags
 150       unused enp3s0 nosmurfs,tcpflags
 151     '';
 152     policy = ''
 153       # DOC: shorewall-policy(5)
 154       $FW    all DROP
 155       lan    all DROP   none
 156       net    all DROP   none
 157       unused all DROP   none
 158       # WARNING: the following policy must be last
 159       all    all REJECT none
 160     '';
 161     rules = lib.mkBefore ''
 162       # DOC: shorewall-rules(5)
 163       #SECTION ALL
 164       #SECTION ESTABLISHED
 165       #SECTION RELATED
 166       ?SECTION NEW
 167
 168       ${fw2net}
 169       ${net2fw}
 170
 171       ${fw2lan}
 172       ${lan2fw}
 173     '';
 174   };
 175 };
 176 }