]> Git — Sourcephile - sourcephile-nix.git/blob - servers/losurdo/production/shorewall.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
losurdo: initial config
[sourcephile-nix.git] / servers / losurdo / production / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config) users;
6 inherit (config.services) shorewall shorewall6;
7 fw2net = ''
8 # By protocol
9 Ping(ACCEPT) $FW net
10
11 # By port
12 DNS(ACCEPT) $FW net {user=${users.users.unbound.name}}
13 Git(ACCEPT) $FW net
14 HKP(ACCEPT) $FW net {user=${users.users.julm.name}}
15 HTTP(ACCEPT) $FW net
16 HTTPS(ACCEPT) $FW net
17 IRCS(ACCEPT) $FW net {user=${users.users.julm.name}}
18 SMTP(ACCEPT) $FW net
19 SMTPS(ACCEPT) $FW net
20 SSH(ACCEPT) $FW net
21 '';
22 net2fw = ''
23 # By protocol
24 Ping(ACCEPT) net $FW
25
26 # By port
27 DNS(ACCEPT) net $FW
28 HTTP(ACCEPT) net $FW
29 HTTPS(ACCEPT) net $FW
30 IMAPS(ACCEPT) net $FW
31 Mosh(ACCEPT) net $FW
32 POP3S(ACCEPT) net $FW
33 SMTP(ACCEPT) net $FW
34 SMTPS(ACCEPT) net $FW
35 SSH(ACCEPT) net $FW {rate=s:1/min:10}
36 Sieve(ACCEPT) net $FW
37 '';
38 macros = {
39 "macro.Git" = ''
40 ?FORMAT 2
41 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
42 # PORT(S) PORT(S) LIMIT GROUP
43 PARAM - - tcp 9418
44 '';
45 "macro.IRCS" = ''
46 ?FORMAT 2
47 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
48 # PORT(S) PORT(S) LIMIT GROUP
49 PARAM - - tcp 6697
50 '';
51 "macro.Mosh" = ''
52 ?FORMAT 2
53 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
54 # PORT(S) PORT(S) LIMIT GROUP
55 PARAM - - udp 60000-61000
56 '';
57 };
58 in
59 {
60 services.shorewall = {
61 enable = true;
62 configs = macros // {
63 "shorewall.conf" = ''
64 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
65 #
66 ## Custom config
67 ###
68 STARTUP_ENABLED=Yes
69 ZONE2ZONE=2
70 '';
71 zones = ''
72 # DOC: shorewall-zones(5)
73 fw firewall
74 net ipv4
75 '';
76 interfaces = ''
77 # DOC: shorewall-interfaces(5)
78 ?FORMAT 2
79 net enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags
80 '';
81 policy = ''
82 # DOC: shorewall-policy(5)
83 $FW all DROP
84 net all DROP none
85 # WARNING: the following policy must be last
86 all all REJECT none
87 '';
88 rules = ''
89 # DOC: shorewall-rules(5)
90 #SECTION ALL
91 #SECTION ESTABLISHED
92 #SECTION RELATED
93 ?SECTION NEW
94
95 ${fw2net}
96 ${net2fw}
97 '';
98 };
99 };
100 services.shorewall6 = {
101 enable = true;
102 configs = macros // {
103 "shorewall6.conf" = ''
104 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
105 #
106 ## Custom config
107 ###
108 STARTUP_ENABLED=Yes
109 ZONE2ZONE=2
110 '';
111 zones = ''
112 # DOC: shorewall-zones(5)
113 fw firewall
114 net ipv6
115 '';
116 interfaces = ''
117 # DOC: shorewall-interfaces(5)
118 ?FORMAT 2
119 net enp1s0 nosmurfs,tcpflags
120 '';
121 policy = ''
122 # DOC: shorewall-policy(5)
123 $FW all DROP
124 net all DROP none
125 # WARNING: the following policy must be last
126 all all REJECT none
127 '';
128 rules = ''
129 # DOC: shorewall-rules(5)
130 #SECTION ALL
131 #SECTION ESTABLISHED
132 #SECTION RELATED
133 ?SECTION NEW
134
135 ${fw2net}
136 ${net2fw}
137 '';
138 };
139 };
140 }
NixOS configurations for Sourcephile's infrastructure