]> Git — Sourcephile - sourcephile-nix.git/blob - servers/losurdo/production/shorewall.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
sanoid: comment usage
[sourcephile-nix.git] / servers / losurdo / production / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.users) users;
6 inherit (config.services) shorewall shorewall6;
7 fw2net = ''
8 # By protocol
9 Ping(ACCEPT) $FW net
10
11 # By port
12 DNS(ACCEPT) $FW net {user=${users.unbound.name}}
13 Git(ACCEPT) $FW net
14 HKP(ACCEPT) $FW net {user=${users.julm.name}}
15 HTTP(ACCEPT) $FW net
16 HTTPS(ACCEPT) $FW net
17 ACCEPT $FW net {proto=tcp, dport=8080}
18 IRCS(ACCEPT) $FW net {user=${users.julm.name}}
19 NTP(ACCEPT) $FW net {user=${users.systemd-timesync.name}}
20 SMTP(ACCEPT) $FW net
21 SMTPS(ACCEPT) $FW net
22 SSH(ACCEPT) $FW net
23 '';
24 net2fw = ''
25 # By protocol
26 Ping(ACCEPT) net $FW
27
28 # By port
29 DNS(ACCEPT) net $FW
30 HTTP(ACCEPT) net $FW
31 HTTPS(ACCEPT) net $FW
32 IMAPS(ACCEPT) net $FW
33 Mosh(ACCEPT) net $FW
34 POP3S(ACCEPT) net $FW
35 SMTP(ACCEPT) net $FW
36 SMTPS(ACCEPT) net $FW
37 SSH(ACCEPT) net $FW {rate=s:1/min:10}
38 Sieve(ACCEPT) net $FW
39 '';
40 macros = {
41 "macro.Git" = ''
42 ?FORMAT 2
43 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
44 # PORT(S) PORT(S) LIMIT GROUP
45 PARAM - - tcp 9418
46 '';
47 "macro.IRCS" = ''
48 ?FORMAT 2
49 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
50 # PORT(S) PORT(S) LIMIT GROUP
51 PARAM - - tcp 6697
52 '';
53 "macro.Mosh" = ''
54 ?FORMAT 2
55 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
56 # PORT(S) PORT(S) LIMIT GROUP
57 PARAM - - udp 60000-61000
58 '';
59 };
60 in
61 {
62 services.shorewall = {
63 enable = true;
64 configs = macros // {
65 "shorewall.conf" = ''
66 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
67 #
68 ## Custom config
69 ###
70 STARTUP_ENABLED=Yes
71 ZONE2ZONE=2
72 '';
73 zones = ''
74 # DOC: shorewall-zones(5)
75 fw firewall
76 net ipv4
77 wet ipv4
78 '';
79 interfaces = ''
80 # DOC: shorewall-interfaces(5)
81 ?FORMAT 2
82 net enp5s0 arp_filter,nosmurfs,routefilter=1,tcpflags
83 wet wlp4s0 arp_filter,nosmurfs,routefilter=1,tcpflags
84 '';
85 policy = ''
86 # DOC: shorewall-policy(5)
87 $FW all DROP
88 net all DROP none
89 wet all DROP none
90 # WARNING: the following policy must be last
91 all all REJECT none
92 '';
93 rules = ''
94 # DOC: shorewall-rules(5)
95 #SECTION ALL
96 #SECTION ESTABLISHED
97 #SECTION RELATED
98 ?SECTION NEW
99
100 ${fw2net}
101 ${net2fw}
102 '';
103 };
104 };
105 services.shorewall6 = {
106 enable = true;
107 configs = macros // {
108 "shorewall6.conf" = ''
109 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
110 #
111 ## Custom config
112 ###
113 STARTUP_ENABLED=Yes
114 ZONE2ZONE=2
115 '';
116 zones = ''
117 # DOC: shorewall-zones(5)
118 fw firewall
119 net ipv6
120 wet ipv6
121 '';
122 interfaces = ''
123 # DOC: shorewall-interfaces(5)
124 ?FORMAT 2
125 net enp5s0 nosmurfs,tcpflags
126 wet wlp4s0 nosmurfs,tcpflags
127 '';
128 policy = ''
129 # DOC: shorewall-policy(5)
130 $FW all DROP
131 net all DROP none
132 wet all DROP none
133 # WARNING: the following policy must be last
134 all all REJECT none
135 '';
136 rules = ''
137 # DOC: shorewall-rules(5)
138 #SECTION ALL
139 #SECTION ESTABLISHED
140 #SECTION RELATED
141 ?SECTION NEW
142
143 ${fw2net}
144 ${net2fw}
145 '';
146 };
147 };
148 }
NixOS configurations for Sourcephile's infrastructure