]> Git — Sourcephile - sourcephile-nix.git/blob - install/logical/friot/shorewall.nix
doc: install/logical/machines.list
[sourcephile-nix.git] / install / logical / friot / shorewall.nix
1 {pkgs, lib, config, ...}:
2 let inherit (builtins) hasAttr readFile;
3 inherit (pkgs.lib) unlinesAttrs;
4 inherit (config.services) shorewall shorewall6;
5 zones4 = config.networking.zones;
6 zones6 = config.networking.zones;
7 "macro.Git" = ''
8 ?FORMAT 2
9 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
10 # PORT(S) PORT(S) LIMIT GROUP
11 PARAM - - tcp 9418
12 '';
13 in
14 {
15 config = {
16 services.shorewall = {
17 enable = true;
18 configs = {
19 "shorewall.conf" = ''
20 ${readFile "${shorewall.package}/etc/shorewall/shorewall.conf"}
21 #
22 ## Custom config
23 ###
24 STARTUP_ENABLED=Yes
25 ZONE2ZONE=2
26 '';
27 zones = ''
28 # DOC: shorewall-zones(5)
29 fw firewall
30 '' + unlinesAttrs (zone: _: "${zone} ipv4") zones4;
31 interfaces = ''
32 # DOC: shorewall-interfaces(5)
33 ?FORMAT 2
34 '' + unlinesAttrs (zone: {iface, ...}:
35 "${zone} ${iface} arp_filter,nosmurfs,routefilter,tcpflags") zones4;
36 policy = ''
37 # DOC: shorewall-policy(5)
38 $FW all DROP
39 '' + unlinesAttrs (zone: _: "${zone} all DROP none") zones4
40 + ''
41 # XXX: the following policy must be last
42 all all REJECT none
43 '';
44 rules = ''
45 # DOC: shorewall-rules(5)
46 #SECTION ALL
47 #SECTION ESTABLISHED
48 #SECTION RELATED
49 ?SECTION NEW
50 ''
51 + lib.optionalString (hasAttr "lan" zones4) ''
52 # ----------
53 # $FW -> lan
54 # ----------
55 ACCEPT $FW lan:${zones4.lan.ipv4}/24
56
57 # ----------
58 # lan -> $FW
59 # ----------
60 ACCEPT lan:${zones4.lan.ipv4}/24 $FW
61 ''
62 + lib.optionalString (hasAttr "net" zones4) ''
63 # ----------
64 # $FW -> net
65 # ----------
66
67 # By protocol
68 Ping(ACCEPT) $FW net
69
70 # By port
71 DNS(ACCEPT) $FW net
72 Git(ACCEPT) $FW net
73 HTTP(ACCEPT) $FW net
74 HTTPS(ACCEPT) $FW net
75 SMTP(ACCEPT) $FW net
76 SMTPS(ACCEPT) $FW net
77 SSH(ACCEPT) $FW net
78
79 # ----------
80 # net -> $FW
81 # ----------
82
83 # By protocol
84 Ping(ACCEPT) net $FW
85
86 # By port
87 #HTTPS(ACCEPT) net $FW
88 DNS(ACCEPT) net $FW
89 IMAPS(ACCEPT) net $FW
90 POP3S(ACCEPT) net $FW
91 SMTP(ACCEPT) net $FW
92 SMTPS(ACCEPT) net $FW
93 '';
94 inherit "macro.Git";
95 };
96 };
97 services.shorewall6 = {
98 enable = true;
99 configs = {
100 "shorewall6.conf" = ''
101 ${readFile "${shorewall6.package}/etc/shorewall6/shorewall6.conf"}
102 #
103 ## Custom config
104 ###
105 STARTUP_ENABLED=Yes
106 ZONE2ZONE=2
107 '';
108 zones = ''
109 # DOC: shorewall-zones(5)
110 fw firewall
111 '' + unlinesAttrs (zone: _: "${zone} ipv6") zones6;
112 interfaces = ''
113 # DOC: shorewall-interfaces(5)
114 ?FORMAT 2
115 '' + unlinesAttrs (zone: {iface, ...}: "${zone} ${iface} nosmurfs,tcpflags") zones6;
116 policy = ''
117 # DOC: shorewall-policy(5)
118 $FW all DROP
119 '' + unlinesAttrs (zone: _: "${zone} all DROP none") zones6
120 + ''
121 # XXX: the following policy must be last
122 all all REJECT none
123 '';
124 rules = ''
125 # DOC: shorewall-rules(5)
126 #SECTION ALL
127 #SECTION ESTABLISHED
128 #SECTION RELATED
129 ?SECTION NEW
130 ''
131 + lib.optionalString (hasAttr "lan" zones6) ''
132 # ----------
133 # $FW -> lan
134 # ----------
135 Ping(ACCEPT) $FW lan:fe80::/10
136
137 # ----------
138 # lan -> $FW
139 # ----------
140 Ping(ACCEPT) lan:fe80::/10 $FW
141 SSH(ACCEPT) lan:fe80::/10 $FW
142 Git(ACCEPT) lan:fe80::/10 $FW
143 '';
144 inherit "macro.Git";
145 };
146 };
147 };
148 }