{ pkgs, lib, config, ... }:
let
inherit (builtins) hasAttr readFile;
inherit (pkgs.lib) unlinesAttrs;
inherit (config) users;
inherit (config.services) shorewall shorewall6;
fw2net = ''
# By protocol
Ping(ACCEPT) $FW net
# By port
DNS(ACCEPT) $FW net {user=${users.users.unbound.name}}
DNS(ACCEPT) $FW net:217.70.177.40 # for knot to notify ns6.gandi.net
DNS(ACCEPT) $FW net:78.192.65.63 # for knot to notify ns0.muarf.org
Git(ACCEPT) $FW net
HKP(ACCEPT) $FW net {user=${users.users.julm.name}}
HTTP(ACCEPT) $FW net
HTTPS(ACCEPT) $FW net
SMTP(ACCEPT) $FW net
SMTPS(ACCEPT) $FW net
SSH(ACCEPT) $FW net
'';
net2fw = ''
# By protocol
Ping(ACCEPT) net $FW
# By port
DNS(ACCEPT) net $FW
HTTP(ACCEPT) net $FW
HTTPS(ACCEPT) net $FW
IMAPS(ACCEPT) net $FW
Mosh(ACCEPT) net $FW
POP3S(ACCEPT) net $FW
SMTP(ACCEPT) net $FW
SMTPS(ACCEPT) net $FW
SSH(ACCEPT) net $FW {rate=s:1/min:10}
Sieve(ACCEPT) net $FW
'';
fw2lan = ''
Ping(ACCEPT) $FW lan
DNS(ACCEPT) $FW lan
HTTPS(ACCEPT) $FW lan
'';
lan2fw = ''
Ping(ACCEPT) lan $FW
SSH(ACCEPT) lan $FW
HTTP(ACCEPT) lan $FW
HTTPS(ACCEPT) lan $FW
DNS(ACCEPT) lan $FW
'';
macros = {
"macro.Git" = ''
?FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 9418
'';
"macro.Mosh" = ''
?FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - udp 60000-61000
'';
};
in
{
services.shorewall = {
enable = true;
configs = macros // {
"shorewall.conf" = ''
${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
#
## Custom config
###
STARTUP_ENABLED=Yes
ZONE2ZONE=2
'';
zones = ''
# DOC: shorewall-zones(5)
fw firewall
net ipv4
lan ipv4
unused ipv4
'';
interfaces = ''
# DOC: shorewall-interfaces(5)
?FORMAT 2
net enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags
lan enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags
unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags
'';
policy = ''
# DOC: shorewall-policy(5)
$FW all DROP
lan all DROP none
net all DROP none
unused all DROP none
# WARNING: the following policy must be last
all all REJECT none
'';
rules = ''
# DOC: shorewall-rules(5)
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
?SECTION NEW
${fw2net}
${net2fw}
${fw2lan}
${lan2fw}
'';
};
};
services.shorewall6 = {
enable = true;
configs = macros // {
"shorewall6.conf" = ''
${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
#
## Custom config
###
STARTUP_ENABLED=Yes
ZONE2ZONE=2
'';
zones = ''
# DOC: shorewall-zones(5)
fw firewall
net ipv6
lan ipv6
unused ipv6
'';
interfaces = ''
# DOC: shorewall-interfaces(5)
?FORMAT 2
net enp1s0 nosmurfs,tcpflags
lan enp2s0 nosmurfs,tcpflags
unused enp3s0 nosmurfs,tcpflags
'';
policy = ''
# DOC: shorewall-policy(5)
$FW all DROP
lan all DROP none
net all DROP none
unused all DROP none
# WARNING: the following policy must be last
all all REJECT none
'';
rules = ''
# DOC: shorewall-rules(5)
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
?SECTION NEW
${fw2net}
${net2fw}
${fw2lan}
${lan2fw}
'';
};
};
}