]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/production/shorewall.nix
nix: add default.nix for debugging builds
[sourcephile-nix.git] / servers / mermet / production / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.users) users;
6 inherit (config.services) shorewall shorewall6;
7 fw2net = ''
8 # By protocol
9 Ping(ACCEPT) $FW net
10
11 # By port
12 DNS(ACCEPT) $FW net {user=${users.unbound.name}}
13 DNS(ACCEPT) $FW net:217.70.177.40 # for knot to notify ns6.gandi.net
14 DNS(ACCEPT) $FW net:78.192.65.63 # for knot to notify ns0.muarf.org
15 Git(ACCEPT) $FW net
16 HKP(ACCEPT) $FW net {user=${users.julm.name}}
17 HTTP(ACCEPT) $FW net
18 HTTPS(ACCEPT) $FW net
19 IRCS(ACCEPT) $FW net {user=${users.julm.name}}
20 NTP(ACCEPT) $FW net {user=${users.systemd-timesync.name}}
21 SMTP(ACCEPT) $FW net
22 SMTPS(ACCEPT) $FW net
23 SSH(ACCEPT) $FW net
24 '';
25 net2fw = ''
26 # By protocol
27 Ping(ACCEPT) net $FW
28
29 # By port
30 DNS(ACCEPT) net $FW
31 Git(ACCEPT) net $FW
32 HTTP(ACCEPT) net $FW
33 HTTPS(ACCEPT) net $FW
34 IMAPS(ACCEPT) net $FW
35 Mosh(ACCEPT) net $FW
36 ACCEPT net $FW {proto=tcp, dport=8080}
37 POP3S(ACCEPT) net $FW
38 SMTP(ACCEPT) net $FW
39 SMTPS(ACCEPT) net $FW
40 SSH(ACCEPT) net $FW {rate=s:1/min:10}
41 Sieve(ACCEPT) net $FW
42 '';
43 fw2lan = ''
44 Ping(ACCEPT) $FW lan
45 DNS(ACCEPT) $FW lan
46 HTTPS(ACCEPT) $FW lan
47 '';
48 lan2fw = ''
49 Ping(ACCEPT) lan $FW
50 SSH(ACCEPT) lan $FW
51 HTTP(ACCEPT) lan $FW
52 HTTPS(ACCEPT) lan $FW
53 DNS(ACCEPT) lan $FW
54 '';
55 macros = {
56 "macro.Git" = ''
57 ?FORMAT 2
58 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
59 # PORT(S) PORT(S) LIMIT GROUP
60 PARAM - - tcp 9418
61 '';
62 "macro.IRCS" = ''
63 ?FORMAT 2
64 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
65 # PORT(S) PORT(S) LIMIT GROUP
66 PARAM - - tcp 6697
67 '';
68 "macro.Mosh" = ''
69 ?FORMAT 2
70 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
71 # PORT(S) PORT(S) LIMIT GROUP
72 PARAM - - udp 60000-61000
73 '';
74 };
75 in
76 {
77 services.shorewall = {
78 enable = true;
79 configs = macros // {
80 "shorewall.conf" = ''
81 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
82 #
83 ## Custom config
84 ###
85 STARTUP_ENABLED=Yes
86 ZONE2ZONE=2
87 '';
88 zones = ''
89 # DOC: shorewall-zones(5)
90 fw firewall
91 net ipv4
92 lan ipv4
93 unused ipv4
94 '';
95 interfaces = ''
96 # DOC: shorewall-interfaces(5)
97 ?FORMAT 2
98 net enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags
99 lan enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags
100 unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags
101 '';
102 policy = ''
103 # DOC: shorewall-policy(5)
104 $FW all DROP
105 lan all DROP none
106 net all DROP none
107 unused all DROP none
108 # WARNING: the following policy must be last
109 all all REJECT none
110 '';
111 rules = ''
112 # DOC: shorewall-rules(5)
113 #SECTION ALL
114 #SECTION ESTABLISHED
115 #SECTION RELATED
116 ?SECTION NEW
117
118 ${fw2net}
119 ${net2fw}
120
121 ${fw2lan}
122 ${lan2fw}
123 '';
124 };
125 };
126 services.shorewall6 = {
127 enable = true;
128 configs = macros // {
129 "shorewall6.conf" = ''
130 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
131 #
132 ## Custom config
133 ###
134 STARTUP_ENABLED=Yes
135 ZONE2ZONE=2
136 '';
137 zones = ''
138 # DOC: shorewall-zones(5)
139 fw firewall
140 net ipv6
141 lan ipv6
142 unused ipv6
143 '';
144 interfaces = ''
145 # DOC: shorewall-interfaces(5)
146 ?FORMAT 2
147 net enp1s0 nosmurfs,tcpflags
148 lan enp2s0 nosmurfs,tcpflags
149 unused enp3s0 nosmurfs,tcpflags
150 '';
151 policy = ''
152 # DOC: shorewall-policy(5)
153 $FW all DROP
154 lan all DROP none
155 net all DROP none
156 unused all DROP none
157 # WARNING: the following policy must be last
158 all all REJECT none
159 '';
160 rules = ''
161 # DOC: shorewall-rules(5)
162 #SECTION ALL
163 #SECTION ESTABLISHED
164 #SECTION RELATED
165 ?SECTION NEW
166
167 ${fw2net}
168 ${net2fw}
169
170 ${fw2lan}
171 ${lan2fw}
172 '';
173 };
174 };
175 }