]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/production/shorewall.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
mermet: unbound config following calomel.org's
[sourcephile-nix.git] / servers / mermet / production / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config) users;
6 inherit (config.services) shorewall shorewall6;
7 fw2net = ''
8 # By protocol
9 Ping(ACCEPT) $FW net
10
11 # By port
12 DNS(ACCEPT) $FW net {user=${users.users.unbound.name}}
13 Git(ACCEPT) $FW net
14 HTTP(ACCEPT) $FW net
15 HTTPS(ACCEPT) $FW net
16 SMTP(ACCEPT) $FW net
17 SMTPS(ACCEPT) $FW net
18 SSH(ACCEPT) $FW net
19 '';
20 net2fw = ''
21 # By protocol
22 Ping(ACCEPT) net $FW
23
24 # By port
25 DNS(ACCEPT) net $FW
26 HTTP(ACCEPT) net $FW
27 HTTPS(ACCEPT) net $FW
28 IMAPS(ACCEPT) net $FW
29 Mosh(ACCEPT) net $FW
30 POP3S(ACCEPT) net $FW
31 SMTP(ACCEPT) net $FW
32 SMTPS(ACCEPT) net $FW
33 SSH(ACCEPT) net $FW
34 '';
35 fw2lan = ''
36 Ping(ACCEPT) $FW lan
37 DNS(ACCEPT) $FW lan
38 HTTPS(ACCEPT) $FW lan
39 '';
40 lan2fw = ''
41 Ping(ACCEPT) lan $FW
42 SSH(ACCEPT) lan $FW
43 HTTP(ACCEPT) lan $FW
44 HTTPS(ACCEPT) lan $FW
45 DNS(ACCEPT) lan $FW
46 '';
47 macros = {
48 "macro.Git" = ''
49 ?FORMAT 2
50 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
51 # PORT(S) PORT(S) LIMIT GROUP
52 PARAM - - tcp 9418
53 '';
54 "macro.Mosh" = ''
55 ?FORMAT 2
56 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
57 # PORT(S) PORT(S) LIMIT GROUP
58 PARAM - - udp 60000-61000
59 '';
60 };
61 in
62 {
63 services.shorewall = {
64 enable = true;
65 configs = macros // {
66 "shorewall.conf" = ''
67 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
68 #
69 ## Custom config
70 ###
71 STARTUP_ENABLED=Yes
72 ZONE2ZONE=2
73 '';
74 zones = ''
75 # DOC: shorewall-zones(5)
76 fw firewall
77 net ipv4
78 lan ipv4
79 unused ipv4
80 '';
81 interfaces = ''
82 # DOC: shorewall-interfaces(5)
83 ?FORMAT 2
84 net enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags
85 lan enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags
86 unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags
87 '';
88 policy = ''
89 # DOC: shorewall-policy(5)
90 $FW all DROP
91 lan all DROP none
92 net all DROP none
93 unused all DROP none
94 # WARNING: the following policy must be last
95 all all REJECT none
96 '';
97 rules = ''
98 # DOC: shorewall-rules(5)
99 #SECTION ALL
100 #SECTION ESTABLISHED
101 #SECTION RELATED
102 ?SECTION NEW
103
104 ${fw2net}
105 ${net2fw}
106
107 ${fw2lan}
108 ${lan2fw}
109 '';
110 };
111 };
112 services.shorewall6 = {
113 enable = true;
114 configs = macros // {
115 "shorewall6.conf" = ''
116 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
117 #
118 ## Custom config
119 ###
120 STARTUP_ENABLED=Yes
121 ZONE2ZONE=2
122 '';
123 zones = ''
124 # DOC: shorewall-zones(5)
125 fw firewall
126 net ipv6
127 lan ipv6
128 unused ipv6
129 '';
130 interfaces = ''
131 # DOC: shorewall-interfaces(5)
132 ?FORMAT 2
133 net enp1s0 nosmurfs,tcpflags
134 lan enp2s0 nosmurfs,tcpflags
135 unused enp3s0 nosmurfs,tcpflags
136 '';
137 policy = ''
138 # DOC: shorewall-policy(5)
139 $FW all DROP
140 lan all DROP none
141 net all DROP none
142 unused all DROP none
143 # WARNING: the following policy must be last
144 all all REJECT none
145 '';
146 rules = ''
147 # DOC: shorewall-rules(5)
148 #SECTION ALL
149 #SECTION ESTABLISHED
150 #SECTION RELATED
151 ?SECTION NEW
152
153 ${fw2net}
154 ${net2fw}
155
156 ${fw2lan}
157 ${lan2fw}
158 '';
159 };
160 };
161 }
NixOS configurations for Sourcephile's infrastructure