]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/shorewall.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
mermet: add openldap
[sourcephile-nix.git] / servers / mermet / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.services) shorewall shorewall6;
6 fw2net = ''
7 # By protocol
8 Ping(ACCEPT) $FW net
9
10 # By port
11 DNS(ACCEPT) $FW net
12 Git(ACCEPT) $FW net
13 HTTP(ACCEPT) $FW net
14 HTTPS(ACCEPT) $FW net
15 SMTP(ACCEPT) $FW net
16 SMTPS(ACCEPT) $FW net
17 SSH(ACCEPT) $FW net
18 '';
19 net2fw = ''
20 # By protocol
21 Ping(ACCEPT) net $FW
22
23 # By port
24 #HTTPS(ACCEPT) net $FW
25 DNS(ACCEPT) net $FW
26 IMAPS(ACCEPT) net $FW
27 POP3S(ACCEPT) net $FW
28 SMTP(ACCEPT) net $FW
29 SMTPS(ACCEPT) net $FW
30 SSH(ACCEPT) net $FW
31 '';
32 fw2lan = ''
33 Ping(ACCEPT) $FW lan
34 DNS(ACCEPT) $FW lan
35 HTTPS(ACCEPT) $FW lan
36 '';
37 lan2fw = ''
38 Ping(ACCEPT) lan $FW
39 SSH(ACCEPT) lan $FW
40 '';
41 macros = {
42 "macro.Git" = ''
43 ?FORMAT 2
44 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
45 # PORT(S) PORT(S) LIMIT GROUP
46 PARAM - - tcp 9418
47 '';
48 };
49 in
50 {
51 config = {
52 services.shorewall = {
53 enable = true;
54 configs = macros // {
55 "shorewall.conf" = ''
56 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
57 #
58 ## Custom config
59 ###
60 STARTUP_ENABLED=Yes
61 ZONE2ZONE=2
62 '';
63 zones = ''
64 # DOC: shorewall-zones(5)
65 fw firewall
66 net ipv4
67 lan ipv4
68 unused ipv4
69 '';
70 interfaces = ''
71 # DOC: shorewall-interfaces(5)
72 ?FORMAT 2
73 net enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags
74 lan enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags,dhcp
75 unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags
76 '';
77 policy = ''
78 # DOC: shorewall-policy(5)
79 $FW all DROP
80 lan all DROP none
81 net all DROP none
82 unused all DROP none
83 # WARNING: the following policy must be last
84 all all REJECT none
85 '';
86 rules = ''
87 # DOC: shorewall-rules(5)
88 #SECTION ALL
89 #SECTION ESTABLISHED
90 #SECTION RELATED
91 ?SECTION NEW
92
93 ${fw2net}
94 ${net2fw}
95
96 ${fw2lan}
97 ${lan2fw}
98 '';
99 };
100 };
101 services.shorewall6 = {
102 enable = true;
103 configs = macros // {
104 "shorewall6.conf" = ''
105 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
106 #
107 ## Custom config
108 ###
109 STARTUP_ENABLED=Yes
110 ZONE2ZONE=2
111 '';
112 zones = ''
113 # DOC: shorewall-zones(5)
114 fw firewall
115 net ipv6
116 lan ipv6
117 unused ipv6
118 '';
119 interfaces = ''
120 # DOC: shorewall-interfaces(5)
121 ?FORMAT 2
122 net enp1s0 nosmurfs,tcpflags
123 lan enp2s0 nosmurfs,tcpflags
124 unused enp3s0 nosmurfs,tcpflags
125 '';
126 policy = ''
127 # DOC: shorewall-policy(5)
128 $FW all DROP
129 lan all DROP none
130 net all DROP none
131 unused all DROP none
132 # WARNING: the following policy must be last
133 all all REJECT none
134 '';
135 rules = ''
136 # DOC: shorewall-rules(5)
137 #SECTION ALL
138 #SECTION ESTABLISHED
139 #SECTION RELATED
140 ?SECTION NEW
141
142 ${fw2net}
143 ${net2fw}
144
145 ${fw2lan}
146 ${lan2fw}
147 '';
148 };
149 };
150 };
151 }
NixOS configurations for Sourcephile's infrastructure