]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/staging/shorewall.nix
gitolite: update
[sourcephile-nix.git] / servers / mermet / staging / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.services) shorewall shorewall6;
6 fw2net = ''
7 # By protocol
8 Ping(ACCEPT) $FW net
9
10 # By port
11 DNS(ACCEPT) $FW net
12 Git(ACCEPT) $FW net
13 HTTP(ACCEPT) $FW net
14 HTTPS(ACCEPT) $FW net
15 SMTP(ACCEPT) $FW net
16 SMTPS(ACCEPT) $FW net
17 SSH(ACCEPT) $FW net
18 '';
19 net2fw = ''
20 # By protocol
21 Ping(ACCEPT) net $FW
22
23 # By port
24 #HTTPS(ACCEPT) net $FW
25 DNS(ACCEPT) net $FW
26 IMAPS(ACCEPT) net $FW
27 Mosh(ACCEPT) net $FW
28 POP3S(ACCEPT) net $FW
29 SMTP(ACCEPT) net $FW
30 SMTPS(ACCEPT) net $FW
31 SSH(ACCEPT) net $FW
32 '';
33 fw2lan = ''
34 Ping(ACCEPT) $FW lan
35 DNS(ACCEPT) $FW lan
36 HTTPS(ACCEPT) $FW lan
37 '';
38 lan2fw = ''
39 Ping(ACCEPT) lan $FW
40 SSH(ACCEPT) lan $FW
41 HTTP(ACCEPT) lan $FW
42 HTTPS(ACCEPT) lan $FW
43 DNS(ACCEPT) lan $FW
44 '';
45 macros = {
46 "macro.Git" = ''
47 ?FORMAT 2
48 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
49 # PORT(S) PORT(S) LIMIT GROUP
50 PARAM - - tcp 9418
51 '';
52 "macro.Mosh" = ''
53 ?FORMAT 2
54 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
55 # PORT(S) PORT(S) LIMIT GROUP
56 PARAM - - udp 60000-61000
57 '';
58 };
59 in
60 {
61 services.shorewall = {
62 enable = true;
63 configs = macros // {
64 "shorewall.conf" = ''
65 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
66 #
67 ## Custom config
68 ###
69 STARTUP_ENABLED=Yes
70 ZONE2ZONE=2
71 '';
72 zones = ''
73 # DOC: shorewall-zones(5)
74 fw firewall
75 net ipv4
76 lan ipv4
77 '';
78 interfaces = ''
79 # DOC: shorewall-interfaces(5)
80 ?FORMAT 2
81 net enp0s3 arp_filter,nosmurfs,routefilter=1,tcpflags,dhcp
82 lan enp0s8 arp_filter,nosmurfs,routefilter=1,tcpflags,dhcp
83 '';
84 policy = ''
85 # DOC: shorewall-policy(5)
86 $FW all DROP
87 lan all DROP none
88 net all DROP none
89 # WARNING: the following policy must be last
90 all all REJECT none
91 '';
92 rules = ''
93 # DOC: shorewall-rules(5)
94 #SECTION ALL
95 #SECTION ESTABLISHED
96 #SECTION RELATED
97 ?SECTION NEW
98
99 ${fw2net}
100 ${net2fw}
101
102 ${fw2lan}
103 ${lan2fw}
104 '';
105 };
106 };
107 services.shorewall6 = {
108 enable = true;
109 configs = macros // {
110 "shorewall6.conf" = ''
111 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
112 #
113 ## Custom config
114 ###
115 STARTUP_ENABLED=Yes
116 ZONE2ZONE=2
117 '';
118 zones = ''
119 # DOC: shorewall-zones(5)
120 fw firewall
121 net ipv6
122 lan ipv6
123 '';
124 interfaces = ''
125 # DOC: shorewall-interfaces(5)
126 ?FORMAT 2
127 net enp0s3 nosmurfs,tcpflags
128 lan enp0s8 nosmurfs,tcpflags
129 '';
130 policy = ''
131 # DOC: shorewall-policy(5)
132 $FW all DROP
133 lan all DROP none
134 net all DROP none
135 # WARNING: the following policy must be last
136 all all REJECT none
137 '';
138 rules = ''
139 # DOC: shorewall-rules(5)
140 #SECTION ALL
141 #SECTION ESTABLISHED
142 #SECTION RELATED
143 ?SECTION NEW
144
145 ${fw2net}
146 ${net2fw}
147
148 ${fw2lan}
149 ${lan2fw}
150 '';
151 };
152 };
153 }