]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/shorewall.nix
nix: fix nixpkgs-channel and gpg-agent
[sourcephile-nix.git] / servers / mermet / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.services) shorewall shorewall6;
6 fw2net = ''
7 # By protocol
8 Ping(ACCEPT) $FW net
9
10 # By port
11 DNS(ACCEPT) $FW net
12 Git(ACCEPT) $FW net
13 HTTP(ACCEPT) $FW net
14 HTTPS(ACCEPT) $FW net
15 SMTP(ACCEPT) $FW net
16 SMTPS(ACCEPT) $FW net
17 SSH(ACCEPT) $FW net
18 '';
19 net2fw = ''
20 # By protocol
21 Ping(ACCEPT) net $FW
22
23 # By port
24 #HTTPS(ACCEPT) net $FW
25 DNS(ACCEPT) net $FW
26 IMAPS(ACCEPT) net $FW
27 POP3S(ACCEPT) net $FW
28 SMTP(ACCEPT) net $FW
29 SMTPS(ACCEPT) net $FW
30 SSH(ACCEPT) net $FW
31 '';
32 fw2lan = ''
33 Ping(ACCEPT) $FW lan
34 DNS(ACCEPT) $FW lan
35 HTTPS(ACCEPT) $FW lan
36 '';
37 lan2fw = ''
38 Ping(ACCEPT) lan $FW
39 SSH(ACCEPT) lan $FW
40 HTTP(ACCEPT) lan $FW
41 HTTPS(ACCEPT) lan $FW
42 DNS(ACCEPT) lan $FW
43 '';
44 macros = {
45 "macro.Git" = ''
46 ?FORMAT 2
47 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
48 # PORT(S) PORT(S) LIMIT GROUP
49 PARAM - - tcp 9418
50 '';
51 };
52 in
53 {
54 services.shorewall = {
55 enable = true;
56 configs = macros // {
57 "shorewall.conf" = ''
58 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
59 #
60 ## Custom config
61 ###
62 STARTUP_ENABLED=Yes
63 ZONE2ZONE=2
64 '';
65 zones = ''
66 # DOC: shorewall-zones(5)
67 fw firewall
68 net ipv4
69 lan ipv4
70 unused ipv4
71 '';
72 interfaces = ''
73 # DOC: shorewall-interfaces(5)
74 ?FORMAT 2
75 net enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags
76 lan enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags,dhcp
77 unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags
78 '';
79 policy = ''
80 # DOC: shorewall-policy(5)
81 $FW all DROP
82 lan all DROP none
83 net all DROP none
84 unused all DROP none
85 # WARNING: the following policy must be last
86 all all REJECT none
87 '';
88 rules = ''
89 # DOC: shorewall-rules(5)
90 #SECTION ALL
91 #SECTION ESTABLISHED
92 #SECTION RELATED
93 ?SECTION NEW
94
95 ${fw2net}
96 ${net2fw}
97
98 ${fw2lan}
99 ${lan2fw}
100 '';
101 };
102 };
103 services.shorewall6 = {
104 enable = true;
105 configs = macros // {
106 "shorewall6.conf" = ''
107 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
108 #
109 ## Custom config
110 ###
111 STARTUP_ENABLED=Yes
112 ZONE2ZONE=2
113 '';
114 zones = ''
115 # DOC: shorewall-zones(5)
116 fw firewall
117 net ipv6
118 lan ipv6
119 unused ipv6
120 '';
121 interfaces = ''
122 # DOC: shorewall-interfaces(5)
123 ?FORMAT 2
124 net enp1s0 nosmurfs,tcpflags
125 lan enp2s0 nosmurfs,tcpflags
126 unused enp3s0 nosmurfs,tcpflags
127 '';
128 policy = ''
129 # DOC: shorewall-policy(5)
130 $FW all DROP
131 lan all DROP none
132 net all DROP none
133 unused all DROP none
134 # WARNING: the following policy must be last
135 all all REJECT none
136 '';
137 rules = ''
138 # DOC: shorewall-rules(5)
139 #SECTION ALL
140 #SECTION ESTABLISHED
141 #SECTION RELATED
142 ?SECTION NEW
143
144 ${fw2net}
145 ${net2fw}
146
147 ${fw2lan}
148 ${lan2fw}
149 '';
150 };
151 };
152 }