]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/production/shorewall.nix
nix: fix sourcephile-shred-tmp
[sourcephile-nix.git] / servers / mermet / production / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config) users;
6 inherit (config.services) shorewall shorewall6;
7 fw2net = ''
8 # By protocol
9 Ping(ACCEPT) $FW net
10
11 # By port
12 DNS(ACCEPT) $FW net {user=${users.users.unbound.name}}
13 DNS(ACCEPT) $FW net:217.70.177.40 # for knot to notify ns6.gandi.net
14 DNS(ACCEPT) $FW net:78.192.65.63 # for knot to notify ns0.muarf.org
15 Git(ACCEPT) $FW net
16 HKP(ACCEPT) $FW net {user=${users.users.julm.name}}
17 HTTP(ACCEPT) $FW net
18 HTTPS(ACCEPT) $FW net
19 IRCS(ACCEPT) $FW net {user=${users.users.julm.name}}
20 SMTP(ACCEPT) $FW net
21 SMTPS(ACCEPT) $FW net
22 SSH(ACCEPT) $FW net
23 '';
24 net2fw = ''
25 # By protocol
26 Ping(ACCEPT) net $FW
27
28 # By port
29 DNS(ACCEPT) net $FW
30 HTTP(ACCEPT) net $FW
31 HTTPS(ACCEPT) net $FW
32 IMAPS(ACCEPT) net $FW
33 Mosh(ACCEPT) net $FW
34 POP3S(ACCEPT) net $FW
35 SMTP(ACCEPT) net $FW
36 SMTPS(ACCEPT) net $FW
37 SSH(ACCEPT) net $FW {rate=s:1/min:10}
38 Sieve(ACCEPT) net $FW
39 '';
40 fw2lan = ''
41 Ping(ACCEPT) $FW lan
42 DNS(ACCEPT) $FW lan
43 HTTPS(ACCEPT) $FW lan
44 '';
45 lan2fw = ''
46 Ping(ACCEPT) lan $FW
47 SSH(ACCEPT) lan $FW
48 HTTP(ACCEPT) lan $FW
49 HTTPS(ACCEPT) lan $FW
50 DNS(ACCEPT) lan $FW
51 '';
52 macros = {
53 "macro.Git" = ''
54 ?FORMAT 2
55 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
56 # PORT(S) PORT(S) LIMIT GROUP
57 PARAM - - tcp 9418
58 '';
59 "macro.IRCS" = ''
60 ?FORMAT 2
61 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
62 # PORT(S) PORT(S) LIMIT GROUP
63 PARAM - - tcp 6697
64 '';
65 "macro.Mosh" = ''
66 ?FORMAT 2
67 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
68 # PORT(S) PORT(S) LIMIT GROUP
69 PARAM - - udp 60000-61000
70 '';
71 };
72 in
73 {
74 services.shorewall = {
75 enable = true;
76 configs = macros // {
77 "shorewall.conf" = ''
78 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
79 #
80 ## Custom config
81 ###
82 STARTUP_ENABLED=Yes
83 ZONE2ZONE=2
84 '';
85 zones = ''
86 # DOC: shorewall-zones(5)
87 fw firewall
88 net ipv4
89 lan ipv4
90 unused ipv4
91 '';
92 interfaces = ''
93 # DOC: shorewall-interfaces(5)
94 ?FORMAT 2
95 net enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags
96 lan enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags
97 unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags
98 '';
99 policy = ''
100 # DOC: shorewall-policy(5)
101 $FW all DROP
102 lan all DROP none
103 net all DROP none
104 unused all DROP none
105 # WARNING: the following policy must be last
106 all all REJECT none
107 '';
108 rules = ''
109 # DOC: shorewall-rules(5)
110 #SECTION ALL
111 #SECTION ESTABLISHED
112 #SECTION RELATED
113 ?SECTION NEW
114
115 ${fw2net}
116 ${net2fw}
117
118 ${fw2lan}
119 ${lan2fw}
120 '';
121 };
122 };
123 services.shorewall6 = {
124 enable = true;
125 configs = macros // {
126 "shorewall6.conf" = ''
127 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
128 #
129 ## Custom config
130 ###
131 STARTUP_ENABLED=Yes
132 ZONE2ZONE=2
133 '';
134 zones = ''
135 # DOC: shorewall-zones(5)
136 fw firewall
137 net ipv6
138 lan ipv6
139 unused ipv6
140 '';
141 interfaces = ''
142 # DOC: shorewall-interfaces(5)
143 ?FORMAT 2
144 net enp1s0 nosmurfs,tcpflags
145 lan enp2s0 nosmurfs,tcpflags
146 unused enp3s0 nosmurfs,tcpflags
147 '';
148 policy = ''
149 # DOC: shorewall-policy(5)
150 $FW all DROP
151 lan all DROP none
152 net all DROP none
153 unused all DROP none
154 # WARNING: the following policy must be last
155 all all REJECT none
156 '';
157 rules = ''
158 # DOC: shorewall-rules(5)
159 #SECTION ALL
160 #SECTION ESTABLISHED
161 #SECTION RELATED
162 ?SECTION NEW
163
164 ${fw2net}
165 ${net2fw}
166
167 ${fw2lan}
168 ${lan2fw}
169 '';
170 };
171 };
172 }