]> Git — Sourcephile - sourcephile-nix.git/blob - servers/losurdo/production/shorewall.nix
gitolite: update
[sourcephile-nix.git] / servers / losurdo / production / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.users) users;
6 inherit (config.services) shorewall shorewall6;
7 fw2net = ''
8 # By protocol
9 Ping(ACCEPT) $FW net
10
11 # By port
12 DNS(ACCEPT) $FW net {user=${users.unbound.name}}
13 Git(ACCEPT) $FW net
14 HKP(ACCEPT) $FW net {user=${users.julm.name}}
15 HTTP(ACCEPT) $FW net
16 HTTPS(ACCEPT) $FW net
17 IRCS(ACCEPT) $FW net {user=${users.julm.name}}
18 NTP(ACCEPT) $FW net {user=${users.systemd-timesync.name}}
19 SMTP(ACCEPT) $FW net
20 SMTPS(ACCEPT) $FW net
21 SSH(ACCEPT) $FW net
22 '';
23 net2fw = ''
24 # By protocol
25 Ping(ACCEPT) net $FW
26
27 # By port
28 DNS(ACCEPT) net $FW
29 HTTP(ACCEPT) net $FW
30 HTTPS(ACCEPT) net $FW
31 IMAPS(ACCEPT) net $FW
32 Mosh(ACCEPT) net $FW
33 POP3S(ACCEPT) net $FW
34 SMTP(ACCEPT) net $FW
35 SMTPS(ACCEPT) net $FW
36 SSH(ACCEPT) net $FW {rate=s:1/min:10}
37 Sieve(ACCEPT) net $FW
38 '';
39 macros = {
40 "macro.Git" = ''
41 ?FORMAT 2
42 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
43 # PORT(S) PORT(S) LIMIT GROUP
44 PARAM - - tcp 9418
45 '';
46 "macro.IRCS" = ''
47 ?FORMAT 2
48 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
49 # PORT(S) PORT(S) LIMIT GROUP
50 PARAM - - tcp 6697
51 '';
52 "macro.Mosh" = ''
53 ?FORMAT 2
54 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
55 # PORT(S) PORT(S) LIMIT GROUP
56 PARAM - - udp 60000-61000
57 '';
58 };
59 in
60 {
61 services.shorewall = {
62 enable = true;
63 configs = macros // {
64 "shorewall.conf" = ''
65 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
66 #
67 ## Custom config
68 ###
69 STARTUP_ENABLED=Yes
70 ZONE2ZONE=2
71 '';
72 zones = ''
73 # DOC: shorewall-zones(5)
74 fw firewall
75 net ipv4
76 wet ipv4
77 '';
78 interfaces = ''
79 # DOC: shorewall-interfaces(5)
80 ?FORMAT 2
81 net enp5s0 arp_filter,nosmurfs,routefilter=1,tcpflags
82 wet wlp4s0 arp_filter,nosmurfs,routefilter=1,tcpflags
83 '';
84 policy = ''
85 # DOC: shorewall-policy(5)
86 $FW all DROP
87 net all DROP none
88 wet all DROP none
89 # WARNING: the following policy must be last
90 all all REJECT none
91 '';
92 rules = ''
93 # DOC: shorewall-rules(5)
94 #SECTION ALL
95 #SECTION ESTABLISHED
96 #SECTION RELATED
97 ?SECTION NEW
98
99 ${fw2net}
100 ${net2fw}
101 '';
102 };
103 };
104 services.shorewall6 = {
105 enable = true;
106 configs = macros // {
107 "shorewall6.conf" = ''
108 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
109 #
110 ## Custom config
111 ###
112 STARTUP_ENABLED=Yes
113 ZONE2ZONE=2
114 '';
115 zones = ''
116 # DOC: shorewall-zones(5)
117 fw firewall
118 net ipv6
119 wet ipv6
120 '';
121 interfaces = ''
122 # DOC: shorewall-interfaces(5)
123 ?FORMAT 2
124 net enp5s0 nosmurfs,tcpflags
125 wet wlp4s0 nosmurfs,tcpflags
126 '';
127 policy = ''
128 # DOC: shorewall-policy(5)
129 $FW all DROP
130 net all DROP none
131 wet all DROP none
132 # WARNING: the following policy must be last
133 all all REJECT none
134 '';
135 rules = ''
136 # DOC: shorewall-rules(5)
137 #SECTION ALL
138 #SECTION ESTABLISHED
139 #SECTION RELATED
140 ?SECTION NEW
141
142 ${fw2net}
143 ${net2fw}
144 '';
145 };
146 };
147 }