]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/production/shorewall.nix
nginx: use forceSSL
[sourcephile-nix.git] / servers / mermet / production / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config) users;
6 inherit (config.services) shorewall shorewall6;
7 fw2net = ''
8 # By protocol
9 Ping(ACCEPT) $FW net
10
11 # By port
12 DNS(ACCEPT) $FW net {user=${users.users.unbound.name}}
13 DNS(ACCEPT) $FW net:217.70.177.40 # for knot to notify ns6.gandi.net
14 DNS(ACCEPT) $FW net:78.192.65.63 # for knot to notify ns0.muarf.org
15 Git(ACCEPT) $FW net
16 HKP(ACCEPT) $FW net {user=${users.users.julm.name}}
17 HTTP(ACCEPT) $FW net
18 HTTPS(ACCEPT) $FW net
19 SMTP(ACCEPT) $FW net
20 SMTPS(ACCEPT) $FW net
21 SSH(ACCEPT) $FW net
22 '';
23 net2fw = ''
24 # By protocol
25 Ping(ACCEPT) net $FW
26
27 # By port
28 DNS(ACCEPT) net $FW
29 HTTP(ACCEPT) net $FW
30 HTTPS(ACCEPT) net $FW
31 IMAPS(ACCEPT) net $FW
32 Mosh(ACCEPT) net $FW
33 POP3S(ACCEPT) net $FW
34 SMTP(ACCEPT) net $FW
35 SMTPS(ACCEPT) net $FW
36 SSH(ACCEPT) net $FW {rate=s:1/min:10}
37 Sieve(ACCEPT) net $FW
38 '';
39 fw2lan = ''
40 Ping(ACCEPT) $FW lan
41 DNS(ACCEPT) $FW lan
42 HTTPS(ACCEPT) $FW lan
43 '';
44 lan2fw = ''
45 Ping(ACCEPT) lan $FW
46 SSH(ACCEPT) lan $FW
47 HTTP(ACCEPT) lan $FW
48 HTTPS(ACCEPT) lan $FW
49 DNS(ACCEPT) lan $FW
50 '';
51 macros = {
52 "macro.Git" = ''
53 ?FORMAT 2
54 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
55 # PORT(S) PORT(S) LIMIT GROUP
56 PARAM - - tcp 9418
57 '';
58 "macro.Mosh" = ''
59 ?FORMAT 2
60 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
61 # PORT(S) PORT(S) LIMIT GROUP
62 PARAM - - udp 60000-61000
63 '';
64 };
65 in
66 {
67 services.shorewall = {
68 enable = true;
69 configs = macros // {
70 "shorewall.conf" = ''
71 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
72 #
73 ## Custom config
74 ###
75 STARTUP_ENABLED=Yes
76 ZONE2ZONE=2
77 '';
78 zones = ''
79 # DOC: shorewall-zones(5)
80 fw firewall
81 net ipv4
82 lan ipv4
83 unused ipv4
84 '';
85 interfaces = ''
86 # DOC: shorewall-interfaces(5)
87 ?FORMAT 2
88 net enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags
89 lan enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags
90 unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags
91 '';
92 policy = ''
93 # DOC: shorewall-policy(5)
94 $FW all DROP
95 lan all DROP none
96 net all DROP none
97 unused all DROP none
98 # WARNING: the following policy must be last
99 all all REJECT none
100 '';
101 rules = ''
102 # DOC: shorewall-rules(5)
103 #SECTION ALL
104 #SECTION ESTABLISHED
105 #SECTION RELATED
106 ?SECTION NEW
107
108 ${fw2net}
109 ${net2fw}
110
111 ${fw2lan}
112 ${lan2fw}
113 '';
114 };
115 };
116 services.shorewall6 = {
117 enable = true;
118 configs = macros // {
119 "shorewall6.conf" = ''
120 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
121 #
122 ## Custom config
123 ###
124 STARTUP_ENABLED=Yes
125 ZONE2ZONE=2
126 '';
127 zones = ''
128 # DOC: shorewall-zones(5)
129 fw firewall
130 net ipv6
131 lan ipv6
132 unused ipv6
133 '';
134 interfaces = ''
135 # DOC: shorewall-interfaces(5)
136 ?FORMAT 2
137 net enp1s0 nosmurfs,tcpflags
138 lan enp2s0 nosmurfs,tcpflags
139 unused enp3s0 nosmurfs,tcpflags
140 '';
141 policy = ''
142 # DOC: shorewall-policy(5)
143 $FW all DROP
144 lan all DROP none
145 net all DROP none
146 unused all DROP none
147 # WARNING: the following policy must be last
148 all all REJECT none
149 '';
150 rules = ''
151 # DOC: shorewall-rules(5)
152 #SECTION ALL
153 #SECTION ESTABLISHED
154 #SECTION RELATED
155 ?SECTION NEW
156
157 ${fw2net}
158 ${net2fw}
159
160 ${fw2lan}
161 ${lan2fw}
162 '';
163 };
164 };
165 }