1 { pkgs, lib, config, machines, ... }:
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config) networking;
6 inherit (config.users) users groups;
9 networking.firewall.enable = false;
10 security.lockKernelModules = false;
11 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
12 systemd.services.nftables.serviceConfig.TimeoutStartSec = "20";
13 networking.nftables = {
15 ruleset = lib.mkBefore ''
17 set lograte4 { type ipv4_addr; size 65535; flags dynamic; }
18 set lograte6 { type ipv6_addr; size 65535; flags dynamic; }
20 add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "block: "
21 add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "block: "
25 add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "ping-flood: "
26 add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "ping-flood: "
30 add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "smurf: "
31 add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "smurf: "
35 add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "bogus-tcp: "
36 add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "bogus-tcp: "
40 add @lograte4 { ip saddr limit rate 1/minute } log level warn prefix "syn-flood: "
41 add @lograte6 { ip6 saddr limit rate 1/minute } log level warn prefix "syn-flood: "
45 tcp flags syn tcp option maxseg size != 536-65535 counter goto bogus-tcp
46 tcp flags & (ack|fin) == fin counter goto bogus-tcp
47 tcp flags & (ack|psh) == psh counter goto bogus-tcp
48 tcp flags & (ack|urg) == urg counter goto bogus-tcp
49 tcp flags & (fin|ack) == fin counter goto bogus-tcp
50 tcp flags & (fin|rst) == (fin|rst) counter goto bogus-tcp
51 tcp flags & (fin|psh|ack) == (fin|psh) counter goto bogus-tcp
52 tcp flags & (syn|fin) == (syn|fin) counter goto bogus-tcp comment "SYN-FIN scan"
53 tcp flags & (syn|rst) == (syn|rst) counter goto bogus-tcp comment "SYN-RST scan"
54 tcp flags == (fin|syn|rst|psh|ack|urg) counter goto bogus-tcp comment "XMAS scan"
55 tcp flags == 0x0 counter goto bogus-tcp comment "NULL scan"
56 tcp flags == (fin|urg|psh) counter goto bogus-tcp
57 tcp flags == (fin|urg|psh|syn) counter goto bogus-tcp comment "NMAP-ID"
58 tcp flags == (fin|urg|syn|rst|ack) counter goto bogus-tcp
60 ct state new tcp flags != syn counter goto bogus-tcp
61 tcp sport 0 tcp flags & (fin|syn|rst|ack) == syn counter goto bogus-tcp
62 tcp flags & (fin|syn|rst|ack) == syn counter limit rate over 30/second burst 60 packets goto syn-flood
65 #udp dport mdns ip6 daddr ff02::fb counter accept comment "Accept mDNS"
66 #udp dport mdns ip daddr 224.0.0.251 counter accept comment "Accept mDNS"
69 #ct state new add @connlimit { ip saddr ct count over 20 } counter tcp reject with tcp reset
71 # Some .nix append rules here with: add rule inet filter net2fw ...
74 tcp dport { 80, 443 } counter accept comment "HTTP"
75 udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
76 tcp dport 9418 counter accept comment "Git"
78 # Some .nix append rules here with: add rule inet filter fw2net ...
81 # Some .nix append rules here with: add rule inet filter intra2fw ...
84 # Some .nix append rules here with: add rule inet filter fw2intra ...
87 # Some .nix append rules here with: add rule inet filter fwd-intra ...
90 # Traffic That Must Not Be Dropped
91 # https://tools.ietf.org/html/rfc4890#section-4.4.1
92 ip6 nexthdr ipv6-icmp icmpv6 type destination-unreachable counter accept
93 ip6 nexthdr ipv6-icmp icmpv6 type packet-too-big counter accept
94 ip6 nexthdr ipv6-icmp icmpv6 type time-exceeded counter accept
95 ip6 nexthdr ipv6-icmp icmpv6 type parameter-problem counter accept
97 # Address Configuration and Router Selection messages
98 # (must be received with hop limit = 255)
99 ip6 nexthdr ipv6-icmp icmpv6 type nd-router-solicit ip6 hoplimit 255 counter accept
100 ip6 nexthdr ipv6-icmp icmpv6 type nd-router-advert ip6 hoplimit 255 counter accept
101 ip6 nexthdr ipv6-icmp icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter accept
102 ip6 nexthdr ipv6-icmp icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter accept
103 # redirect messages provide a significant security risk,
104 # and administrators should take a case-by-case approach
105 # to whether firewalls, routers in general,
106 # and other nodes should accept these messages
107 #ip6 nexthdr ipv6-icmp icmpv6 type redirect ip6 hoplimit 255 counter accept
108 ip6 nexthdr ipv6-icmp icmpv6 type ind-neighbor-solicit ip6 hoplimit 255 counter accept
109 ip6 nexthdr ipv6-icmp icmpv6 type ind-neighbor-advert ip6 hoplimit 255 counter accept
111 # Link-local multicast receiver notification messages
112 # (must have link-local source address)
113 ip6 nexthdr ipv6-icmp icmpv6 type mld-listener-query ip6 saddr fe80::/10 counter accept
114 ip6 nexthdr ipv6-icmp icmpv6 type mld-listener-report ip6 saddr fe80::/10 counter accept
115 ip6 nexthdr ipv6-icmp icmpv6 type mld-listener-done ip6 saddr fe80::/10 counter accept
116 ip6 nexthdr ipv6-icmp icmpv6 type mld2-listener-report ip6 saddr fe80::/10 counter accept
118 # SEND Certificate Path notification messages
119 # (must be received with hop limit = 255)
120 ip6 nexthdr ipv6-icmp icmpv6 type 148 ip6 hoplimit 255 counter accept comment "certificate-path-solicitation"
121 ip6 nexthdr ipv6-icmp icmpv6 type 149 ip6 hoplimit 255 counter accept comment "certificate-path-advertisement"
123 # Multicast Router Discovery messages
124 # (must have link-local source address and hop limit = 1)
125 ip6 nexthdr ipv6-icmp icmpv6 type 151 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-advertisement"
126 ip6 nexthdr ipv6-icmp icmpv6 type 152 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-solicitation"
127 ip6 nexthdr ipv6-icmp icmpv6 type 153 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-termination"
131 type filter hook input priority 0
138 ct state { established, related } accept
141 ip protocol icmp icmp type echo-reply counter accept
143 ${lib.optionalString networking.enableIPv6 ''
144 # drop packets with rh0 headers
150 ip6 nexthdr ipv6-icmp icmpv6 type echo-reply counter accept
153 ct state invalid counter drop
155 ip protocol icmp icmp type destination-unreachable counter accept
156 ip protocol icmp icmp type time-exceeded counter accept
157 ip protocol icmp icmp type parameter-problem counter accept
158 ip protocol icmp icmp type echo-request limit rate over 10/second burst 20 packets goto ping-flood
159 ip protocol icmp icmp type echo-request counter accept
160 # echo-reply is handled before invalid packets to allow multicast ping
161 # which do not have an associated connection.
163 #ip daddr 224.0.0.251 udp dport 5353 counter accept comment "mDNS"
164 #ip daddr 239.255.255.250 udp dport 1900 counter accept comment "UPnP"
165 #ip saddr 0.0.0.0/32 counter accept comment "DHCP"
166 #ip udp sport 67 udp dport 68 counter accept comment "DHCP"
168 ${lib.optionalString networking.enableIPv6 ''
169 # Traffic That Must Not Be Dropped
170 # https://tools.ietf.org/html/rfc4890#section-4.4.1
171 ip6 nexthdr ipv6-icmp icmpv6 type destination-unreachable counter accept
172 ip6 nexthdr ipv6-icmp icmpv6 type packet-too-big counter accept
173 ip6 nexthdr ipv6-icmp icmpv6 type time-exceeded counter accept
174 ip6 nexthdr ipv6-icmp icmpv6 type parameter-problem counter accept
176 # Connectivity checking messages
177 ip6 nexthdr ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 20 packets goto ping-flood
178 ip6 nexthdr ipv6-icmp icmpv6 type echo-request counter accept
179 # echo-reply is handled before invalid packets to allow multicast ping
180 # which do not have an associated connection.
182 # Address Configuration and Router Selection messages
183 # (must be received with hop limit = 255)
184 ip6 nexthdr ipv6-icmp icmpv6 type nd-router-solicit ip6 hoplimit 255 counter accept
185 ip6 nexthdr ipv6-icmp icmpv6 type nd-router-advert ip6 hoplimit 255 counter accept
186 ip6 nexthdr ipv6-icmp icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter accept
187 ip6 nexthdr ipv6-icmp icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter accept
188 # redirect messages provide a significant security risk,
189 # and administrators should take a case-by-case approach
190 # to whether firewalls, routers in general,
191 # and other nodes should accept these messages
192 #ip6 nexthdr ipv6-icmp icmpv6 type redirect ip6 hoplimit 255 counter accept
193 ip6 nexthdr ipv6-icmp icmpv6 type ind-neighbor-solicit ip6 hoplimit 255 counter accept
194 ip6 nexthdr ipv6-icmp icmpv6 type ind-neighbor-advert ip6 hoplimit 255 counter accept
196 # Link-local multicast receiver notification messages
197 # (must have link-local source address)
198 ip6 nexthdr ipv6-icmp icmpv6 type mld-listener-query ip6 saddr fe80::/10 counter accept
199 ip6 nexthdr ipv6-icmp icmpv6 type mld-listener-report ip6 saddr fe80::/10 counter accept
200 ip6 nexthdr ipv6-icmp icmpv6 type mld-listener-done ip6 saddr fe80::/10 counter accept
201 ip6 nexthdr ipv6-icmp icmpv6 type mld2-listener-report ip6 saddr fe80::/10 counter accept
203 # SEND Certificate Path notification messages
204 # (must be received with hop limit = 255)
205 ip6 nexthdr ipv6-icmp icmpv6 type 148 ip6 hoplimit 255 counter accept comment "certificate-path-solicitation"
206 ip6 nexthdr ipv6-icmp icmpv6 type 149 ip6 hoplimit 255 counter accept comment "certificate-path-advertisement"
208 # Multicast Router Discovery messages
209 # (must have link-local source address and hop limit = 1)
210 ip6 nexthdr ipv6-icmp icmpv6 type 151 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-advertisement"
211 ip6 nexthdr ipv6-icmp icmpv6 type 152 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-solicitation"
212 ip6 nexthdr ipv6-icmp icmpv6 type 153 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-termination"
214 ip6 daddr ff02::fb udp dport 5353 counter accept comment "mDNS"
215 ip6 daddr ff02::f udp dport 1900 counter accept comment "UPnP"
218 ip saddr 224.0.0.0/4 counter goto smurf
219 fib saddr type broadcast counter goto smurf
222 tcp dport 22 counter accept comment "SSH"
223 udp dport 60000-61000 counter accept comment "Mosh"
225 # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
228 type filter hook forward priority 0
231 ip protocol icmp icmp type destination-unreachable counter accept
232 ip protocol icmp icmp type time-exceeded counter accept
233 ip protocol icmp icmp type parameter-problem counter accept
234 ip protocol icmp icmp type echo-request counter accept
236 ${lib.optionalString networking.enableIPv6 ''
237 # Traffic That Must Not Be Dropped
238 # https://tools.ietf.org/html/rfc4890#section-4.3.1
239 ip6 nexthdr ipv6-icmp icmpv6 type destination-unreachable counter accept
240 ip6 nexthdr ipv6-icmp icmpv6 type packet-too-big counter accept
241 ip6 nexthdr ipv6-icmp icmpv6 type time-exceeded counter accept
242 ip6 nexthdr ipv6-icmp icmpv6 type parameter-problem counter accept
244 ip6 nexthdr ipv6-icmp icmpv6 type echo-request counter accept
245 ip6 nexthdr ipv6-icmp icmpv6 type echo-reply counter accept
247 # Traffic That Normally Should Not Be Dropped
248 # https://tools.ietf.org/html/rfc4890#section-4.3.2
249 ip6 nexthdr ipv6-icmp icmpv6 type 144 counter accept comment "home-agent-address-discovery-request"
250 ip6 nexthdr ipv6-icmp icmpv6 type 145 counter accept comment "home-agent-address-discovery-reply"
251 ip6 nexthdr ipv6-icmp icmpv6 type 146 counter accept comment "mobile-prefix-solicitation"
252 ip6 nexthdr ipv6-icmp icmpv6 type 147 counter accept comment "mobile-prefix-advertisement"
256 type filter hook output priority 0
261 ct state { related, established } accept
262 ct state invalid counter drop
264 ip protocol icmp counter accept
265 ip daddr 224.0.0.0/4 udp dport 1900 counter accept comment "UPnP"
267 ${lib.optionalString networking.enableIPv6 ''
268 # Connectivity checking messages
269 ip6 nexthdr ipv6-icmp icmpv6 type echo-request counter accept
270 ip6 nexthdr ipv6-icmp icmpv6 type echo-reply counter accept
274 ip6 nexthdr udp ip6 saddr fe80::/10 udp sport 547 ip6 daddr fe80::/10 udp dport 546 counter accept comment "DHCPv6"
277 tcp dport 22 counter accept comment "SSH"
279 # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...