]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/production/shorewall.nix
nix: fix NIX_PATH
[sourcephile-nix.git] / servers / mermet / production / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.services) shorewall shorewall6;
6 fw2net = ''
7 # By protocol
8 Ping(ACCEPT) $FW net
9
10 # By port
11 DNS(ACCEPT) $FW net
12 Git(ACCEPT) $FW net
13 HTTP(ACCEPT) $FW net
14 HTTPS(ACCEPT) $FW net
15 SMTP(ACCEPT) $FW net
16 SMTPS(ACCEPT) $FW net
17 SSH(ACCEPT) $FW net
18 '';
19 net2fw = ''
20 # By protocol
21 Ping(ACCEPT) net $FW
22
23 # By port
24 DNS(ACCEPT) net $FW
25 HTTP(ACCEPT) net $FW
26 HTTPS(ACCEPT) net $FW
27 IMAPS(ACCEPT) net $FW
28 Mosh(ACCEPT) net $FW
29 POP3S(ACCEPT) net $FW
30 SMTP(ACCEPT) net $FW
31 SMTPS(ACCEPT) net $FW
32 SSH(ACCEPT) net $FW
33 '';
34 fw2lan = ''
35 Ping(ACCEPT) $FW lan
36 DNS(ACCEPT) $FW lan
37 HTTPS(ACCEPT) $FW lan
38 '';
39 lan2fw = ''
40 Ping(ACCEPT) lan $FW
41 SSH(ACCEPT) lan $FW
42 HTTP(ACCEPT) lan $FW
43 HTTPS(ACCEPT) lan $FW
44 DNS(ACCEPT) lan $FW
45 '';
46 macros = {
47 "macro.Git" = ''
48 ?FORMAT 2
49 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
50 # PORT(S) PORT(S) LIMIT GROUP
51 PARAM - - tcp 9418
52 '';
53 "macro.Mosh" = ''
54 ?FORMAT 2
55 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
56 # PORT(S) PORT(S) LIMIT GROUP
57 PARAM - - udp 60000-61000
58 '';
59 };
60 in
61 {
62 services.shorewall = {
63 enable = true;
64 configs = macros // {
65 "shorewall.conf" = ''
66 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
67 #
68 ## Custom config
69 ###
70 STARTUP_ENABLED=Yes
71 ZONE2ZONE=2
72 '';
73 zones = ''
74 # DOC: shorewall-zones(5)
75 fw firewall
76 net ipv4
77 lan ipv4
78 unused ipv4
79 '';
80 interfaces = ''
81 # DOC: shorewall-interfaces(5)
82 ?FORMAT 2
83 net enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags
84 lan enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags
85 unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags
86 '';
87 policy = ''
88 # DOC: shorewall-policy(5)
89 $FW all DROP
90 lan all DROP none
91 net all DROP none
92 unused all DROP none
93 # WARNING: the following policy must be last
94 all all REJECT none
95 '';
96 rules = ''
97 # DOC: shorewall-rules(5)
98 #SECTION ALL
99 #SECTION ESTABLISHED
100 #SECTION RELATED
101 ?SECTION NEW
102
103 ${fw2net}
104 ${net2fw}
105
106 ${fw2lan}
107 ${lan2fw}
108 '';
109 };
110 };
111 services.shorewall6 = {
112 enable = true;
113 configs = macros // {
114 "shorewall6.conf" = ''
115 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
116 #
117 ## Custom config
118 ###
119 STARTUP_ENABLED=Yes
120 ZONE2ZONE=2
121 '';
122 zones = ''
123 # DOC: shorewall-zones(5)
124 fw firewall
125 net ipv6
126 lan ipv6
127 unused ipv6
128 '';
129 interfaces = ''
130 # DOC: shorewall-interfaces(5)
131 ?FORMAT 2
132 net enp1s0 nosmurfs,tcpflags
133 lan enp2s0 nosmurfs,tcpflags
134 unused enp3s0 nosmurfs,tcpflags
135 '';
136 policy = ''
137 # DOC: shorewall-policy(5)
138 $FW all DROP
139 lan all DROP none
140 net all DROP none
141 unused all DROP none
142 # WARNING: the following policy must be last
143 all all REJECT none
144 '';
145 rules = ''
146 # DOC: shorewall-rules(5)
147 #SECTION ALL
148 #SECTION ESTABLISHED
149 #SECTION RELATED
150 ?SECTION NEW
151
152 ${fw2net}
153 ${net2fw}
154
155 ${fw2lan}
156 ${lan2fw}
157 '';
158 };
159 };
160 }