1 { pkgs, lib, config, ... }:
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config) networking;
6 inherit (config.users) users groups;
9 networking.firewall.enable = false;
10 security.lockKernelModules = false;
11 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
12 systemd.services.nftables.serviceConfig.TimeoutStartSec = "20";
13 networking.nftables = {
15 ruleset = lib.mkBefore (''
17 include "${../../../var/nftables/filter.txt}"
18 # A set containing the udp port(s) to which SSDP replies are allowed.
24 #udp dport mdns ip6 daddr ff02::fb counter accept comment "Accept mDNS"
25 #udp dport mdns ip daddr 224.0.0.251 counter accept comment "Accept mDNS"
28 #ct state new add @connlimit { ip saddr ct count over 20 } counter tcp reject with tcp reset
30 # Some .nix append rules here with: add rule inet filter net2fw ...
33 tcp dport { 80, 443 } counter accept comment "HTTP"
34 udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
35 tcp dport 1965 counter accept comment "Gemini"
36 tcp dport 9418 counter accept comment "Git"
38 # Some .nix append rules here with: add rule inet filter fw2net ...
41 # Some .nix append rules here with: add rule inet filter wifi2fw ...
44 # Some .nix append rules here with: add rule inet filter fw2wifi ...
47 # Some .nix append rules here with: add rule inet filter fwd-wifi ...
50 # Some .nix append rules here with: add rule inet filter intra2fw ...
53 # Some .nix append rules here with: add rule inet filter fw2intra ...
56 # Some .nix append rules here with: add rule inet filter fwd-intra ...
59 # Some .nix append rules here with: add rule inet filter extra2fw ...
63 type filter hook input priority filter
69 ct state { established, related } accept
70 jump accept-connectivity-input
71 ct state invalid counter drop
74 tcp dport 22 counter accept comment "SSH"
75 udp dport 60000-61000 counter accept comment "Mosh"
77 # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
80 type filter hook forward priority filter
83 ct state { related, established } accept
84 jump accept-connectivity-forward
87 type filter hook output priority filter
92 ct state { related, established } accept
93 jump accept-connectivity-output
95 tcp dport 22 counter accept comment "SSH"
97 # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
102 type nat hook prerouting priority filter
106 type nat hook postrouting priority srcnat
110 '' + lib.optionalString (config.services.upnpc.redirections != []) (''
111 # Create a rule for accepting any SSDP packets going to a remembered port.
112 add rule inet filter net2fw udp dport @ssdp_out \
113 counter accept comment "SSDP answer"
114 add rule inet filter fw2net \
115 skuid {${users.upnpc.name},${users.nsupdate.name}} \
118 comment "SSDP automatic opening"
119 add rule inet filter fw2net \
120 skuid {${users.upnpc.name},${users.nsupdate.name}} \
121 ip daddr 239.255.255.250 udp dport 1900 \
122 set add udp sport @ssdp_out \
123 comment "SSDP automatic opening"
124 add rule inet filter fw2net \
125 skuid {${users.upnpc.name},${users.nsupdate.name}} \
126 ip daddr 239.255.255.250 udp dport 1900 \
127 counter accept comment "SSDP"
128 '' + lib.optionalString config.networking.enableIPv6 ''
129 add rule inet filter fw2net \
130 skuid {${users.upnpc.name},${users.nsupdate.name}} \
131 ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 \
132 set add udp sport @ssdp_out comment "SSDP automatic opening"
133 add rule inet filter fw2net \
134 skuid {${users.upnpc.name},${users.nsupdate.name}} \
135 ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 \
136 counter accept comment "SSDP"