]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/shorewall.nix
stig: update to 0.11.0a
[sourcephile-nix.git] / servers / mermet / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.users) users;
6 inherit (config.services) shorewall shorewall6;
7 fw2net = ''
8 # By protocol
9 Ping(ACCEPT) $FW net
10
11 # By port
12 DNS(ACCEPT) $FW net {user=${users.unbound.name}}
13 DNS(ACCEPT) $FW net:217.70.177.40 # for knot to notify ns6.gandi.net
14 DNS(ACCEPT) $FW net:78.192.65.63 # for knot to notify ns0.muarf.org
15 Git(ACCEPT) $FW net
16 HKP(ACCEPT) $FW net {user=${users.julm.name}}
17 HTTP(ACCEPT) $FW net
18 HTTPS(ACCEPT) $FW net
19 IRCS(ACCEPT) $FW net {user=${users.julm.name}}
20 NTP(ACCEPT) $FW net {user=${users.systemd-timesync.name}}
21 NNTP(ACCEPT) $FW net {user=${users.julm.name}}
22 NNTPS(ACCEPT) $FW net {user=${users.julm.name}}
23 SMTP(ACCEPT) $FW net
24 SMTPS(ACCEPT) $FW net
25 SSH(ACCEPT) $FW net
26 '';
27 net2fw = ''
28 # By protocol
29 Ping(ACCEPT) net $FW
30
31 # By port
32 DNS(ACCEPT) net $FW
33 Git(ACCEPT) net $FW
34 HTTP(ACCEPT) net $FW
35 HTTPS(ACCEPT) net $FW
36 IMAPS(ACCEPT) net $FW
37 Mosh(ACCEPT) net $FW
38 ACCEPT net $FW {proto=tcp, dport=8080}
39 NNTPS(ACCEPT) net $FW
40 POP3S(ACCEPT) net $FW
41 SMTP(ACCEPT) net $FW
42 SMTPS(ACCEPT) net $FW
43 SSH(ACCEPT) net $FW {rate=s:1/min:10}
44 Sieve(ACCEPT) net $FW
45 '';
46 fw2lan = ''
47 Ping(ACCEPT) $FW lan
48 DNS(ACCEPT) $FW lan
49 HTTPS(ACCEPT) $FW lan
50 '';
51 lan2fw = ''
52 Ping(ACCEPT) lan $FW
53 SSH(ACCEPT) lan $FW
54 HTTP(ACCEPT) lan $FW
55 HTTPS(ACCEPT) lan $FW
56 DNS(ACCEPT) lan $FW
57 '';
58 macros = {
59 "macro.Git" = ''
60 ?FORMAT 2
61 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
62 # PORT(S) PORT(S) LIMIT GROUP
63 PARAM - - tcp 9418
64 '';
65 "macro.IRCS" = ''
66 ?FORMAT 2
67 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
68 # PORT(S) PORT(S) LIMIT GROUP
69 PARAM - - tcp 6697
70 '';
71 "macro.Mosh" = ''
72 ?FORMAT 2
73 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
74 # PORT(S) PORT(S) LIMIT GROUP
75 PARAM - - udp 60000-61000
76 '';
77 };
78 in
79 {
80 services.shorewall = {
81 enable = true;
82 configs = macros // {
83 "shorewall.conf" = ''
84 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
85 #
86 ## Custom config
87 ###
88 STARTUP_ENABLED=Yes
89 ZONE2ZONE=2
90 '';
91 zones = ''
92 # DOC: shorewall-zones(5)
93 fw firewall
94 net ipv4
95 lan ipv4
96 unused ipv4
97 '';
98 interfaces = ''
99 # DOC: shorewall-interfaces(5)
100 ?FORMAT 2
101 net enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags
102 lan enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags
103 unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags
104 '';
105 policy = ''
106 # DOC: shorewall-policy(5)
107 $FW all DROP
108 lan all DROP none
109 net all DROP none
110 unused all DROP none
111 # WARNING: the following policy must be last
112 all all REJECT none
113 '';
114 rules = ''
115 # DOC: shorewall-rules(5)
116 #SECTION ALL
117 #SECTION ESTABLISHED
118 #SECTION RELATED
119 ?SECTION NEW
120
121 ${fw2net}
122 ${net2fw}
123
124 ${fw2lan}
125 ${lan2fw}
126 '';
127 };
128 };
129 services.shorewall6 = {
130 enable = true;
131 configs = macros // {
132 "shorewall6.conf" = ''
133 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
134 #
135 ## Custom config
136 ###
137 STARTUP_ENABLED=Yes
138 ZONE2ZONE=2
139 '';
140 zones = ''
141 # DOC: shorewall-zones(5)
142 fw firewall
143 net ipv6
144 lan ipv6
145 unused ipv6
146 '';
147 interfaces = ''
148 # DOC: shorewall-interfaces(5)
149 ?FORMAT 2
150 net enp1s0 nosmurfs,tcpflags
151 lan enp2s0 nosmurfs,tcpflags
152 unused enp3s0 nosmurfs,tcpflags
153 '';
154 policy = ''
155 # DOC: shorewall-policy(5)
156 $FW all DROP
157 lan all DROP none
158 net all DROP none
159 unused all DROP none
160 # WARNING: the following policy must be last
161 all all REJECT none
162 '';
163 rules = ''
164 # DOC: shorewall-rules(5)
165 #SECTION ALL
166 #SECTION ESTABLISHED
167 #SECTION RELATED
168 ?SECTION NEW
169
170 ${fw2net}
171 ${net2fw}
172
173 ${fw2lan}
174 ${lan2fw}
175 '';
176 };
177 };
178 }