]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/production/shorewall.nix
direnv: fix infinite reload
[sourcephile-nix.git] / servers / mermet / production / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.users) users;
6 inherit (config.services) shorewall shorewall6;
7 fw2net = ''
8 # By protocol
9 Ping(ACCEPT) $FW net
10
11 # By port
12 DNS(ACCEPT) $FW net {user=${users.unbound.name}}
13 DNS(ACCEPT) $FW net:217.70.177.40 # for knot to notify ns6.gandi.net
14 DNS(ACCEPT) $FW net:78.192.65.63 # for knot to notify ns0.muarf.org
15 Git(ACCEPT) $FW net
16 HKP(ACCEPT) $FW net {user=${users.julm.name}}
17 HTTP(ACCEPT) $FW net
18 HTTPS(ACCEPT) $FW net
19 IRCS(ACCEPT) $FW net {user=${users.julm.name}}
20 NTP(ACCEPT) $FW net {user=${users.systemd-timesync.name}}
21 SMTP(ACCEPT) $FW net
22 SMTPS(ACCEPT) $FW net
23 SSH(ACCEPT) $FW net
24 '';
25 net2fw = ''
26 # By protocol
27 Ping(ACCEPT) net $FW
28
29 # By port
30 DNS(ACCEPT) net $FW
31 Git(ACCEPT) net $FW
32 HTTP(ACCEPT) net $FW
33 HTTPS(ACCEPT) net $FW
34 IMAPS(ACCEPT) net $FW
35 Mosh(ACCEPT) net $FW
36 POP3S(ACCEPT) net $FW
37 SMTP(ACCEPT) net $FW
38 SMTPS(ACCEPT) net $FW
39 SSH(ACCEPT) net $FW {rate=s:1/min:10}
40 Sieve(ACCEPT) net $FW
41 '';
42 fw2lan = ''
43 Ping(ACCEPT) $FW lan
44 DNS(ACCEPT) $FW lan
45 HTTPS(ACCEPT) $FW lan
46 '';
47 lan2fw = ''
48 Ping(ACCEPT) lan $FW
49 SSH(ACCEPT) lan $FW
50 HTTP(ACCEPT) lan $FW
51 HTTPS(ACCEPT) lan $FW
52 DNS(ACCEPT) lan $FW
53 '';
54 macros = {
55 "macro.Git" = ''
56 ?FORMAT 2
57 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
58 # PORT(S) PORT(S) LIMIT GROUP
59 PARAM - - tcp 9418
60 '';
61 "macro.IRCS" = ''
62 ?FORMAT 2
63 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
64 # PORT(S) PORT(S) LIMIT GROUP
65 PARAM - - tcp 6697
66 '';
67 "macro.Mosh" = ''
68 ?FORMAT 2
69 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
70 # PORT(S) PORT(S) LIMIT GROUP
71 PARAM - - udp 60000-61000
72 '';
73 };
74 in
75 {
76 services.shorewall = {
77 enable = true;
78 configs = macros // {
79 "shorewall.conf" = ''
80 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
81 #
82 ## Custom config
83 ###
84 STARTUP_ENABLED=Yes
85 ZONE2ZONE=2
86 '';
87 zones = ''
88 # DOC: shorewall-zones(5)
89 fw firewall
90 net ipv4
91 lan ipv4
92 unused ipv4
93 '';
94 interfaces = ''
95 # DOC: shorewall-interfaces(5)
96 ?FORMAT 2
97 net enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags
98 lan enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags
99 unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags
100 '';
101 policy = ''
102 # DOC: shorewall-policy(5)
103 $FW all DROP
104 lan all DROP none
105 net all DROP none
106 unused all DROP none
107 # WARNING: the following policy must be last
108 all all REJECT none
109 '';
110 rules = ''
111 # DOC: shorewall-rules(5)
112 #SECTION ALL
113 #SECTION ESTABLISHED
114 #SECTION RELATED
115 ?SECTION NEW
116
117 ${fw2net}
118 ${net2fw}
119
120 ${fw2lan}
121 ${lan2fw}
122 '';
123 };
124 };
125 services.shorewall6 = {
126 enable = true;
127 configs = macros // {
128 "shorewall6.conf" = ''
129 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
130 #
131 ## Custom config
132 ###
133 STARTUP_ENABLED=Yes
134 ZONE2ZONE=2
135 '';
136 zones = ''
137 # DOC: shorewall-zones(5)
138 fw firewall
139 net ipv6
140 lan ipv6
141 unused ipv6
142 '';
143 interfaces = ''
144 # DOC: shorewall-interfaces(5)
145 ?FORMAT 2
146 net enp1s0 nosmurfs,tcpflags
147 lan enp2s0 nosmurfs,tcpflags
148 unused enp3s0 nosmurfs,tcpflags
149 '';
150 policy = ''
151 # DOC: shorewall-policy(5)
152 $FW all DROP
153 lan all DROP none
154 net all DROP none
155 unused all DROP none
156 # WARNING: the following policy must be last
157 all all REJECT none
158 '';
159 rules = ''
160 # DOC: shorewall-rules(5)
161 #SECTION ALL
162 #SECTION ESTABLISHED
163 #SECTION RELATED
164 ?SECTION NEW
165
166 ${fw2net}
167 ${net2fw}
168
169 ${fw2lan}
170 ${lan2fw}
171 '';
172 };
173 };
174 }