{ pkgs, lib, config, ... }: let inherit (builtins) hasAttr readFile; inherit (pkgs.lib) unlinesAttrs; inherit (config.users) users groups; inherit (config.services) shorewall shorewall6 transmission; fw2net = '' # By protocol Ping(ACCEPT) $FW net # By port DNS(ACCEPT) $FW net {user=${users.unbound.name}} Git(ACCEPT) $FW net HKP(ACCEPT) $FW net {user=${users.julm.name}} HTTP(ACCEPT) $FW net HTTPS(ACCEPT) $FW net ACCEPT $FW net {proto=tcp, dport=8080} IRCS(ACCEPT) $FW net {user=${users.julm.name}} NTP(ACCEPT) $FW net {user=${users.systemd-timesync.name}} SMTP(ACCEPT) $FW net SMTPS(ACCEPT) $FW net SSH(ACCEPT) $FW net Whois(ACCEPT) $FW net ''; net2fw = '' # By protocol Ping(ACCEPT) net $FW # By port DNS(ACCEPT) net $FW HTTP(ACCEPT) net $FW HTTPS(ACCEPT) net $FW IMAPS(ACCEPT) net $FW Mosh(ACCEPT) net $FW POP3S(ACCEPT) net $FW SMTP(ACCEPT) net $FW SMTPS(ACCEPT) net $FW SSH(ACCEPT) net $FW {rate=s:1/min:10} ACCEPT net $FW {proto=tcp, dport=2222} Sieve(ACCEPT) net $FW ''; macros = { "macro.Git" = '' ?FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP PARAM - - tcp 9418 ''; "macro.IRCS" = '' ?FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP PARAM - - tcp 6697 ''; "macro.Mosh" = '' ?FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP PARAM - - udp 60000-61000 ''; }; in { services.shorewall = { enable = true; configs = macros // { "shorewall.conf" = '' ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"} # ## Custom config ### STARTUP_ENABLED=Yes ZONE2ZONE=2 ''; zones = '' # DOC: shorewall-zones(5) fw firewall net ipv4 wet ipv4 ''; interfaces = '' # DOC: shorewall-interfaces(5) ?FORMAT 2 net enp5s0 arp_filter,nosmurfs,routefilter=1,tcpflags,upnpclient wet wlp4s0 arp_filter,nosmurfs,routefilter=1,tcpflags ''; policy = '' # DOC: shorewall-policy(5) $FW all DROP net all DROP none wet all DROP none # WARNING: the following policy must be last all all REJECT none ''; rules = '' # DOC: shorewall-rules(5) #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED ?SECTION NEW ${fw2net} ACCEPT $FW net:192.168.0.0/16 ACCEPT $FW net:224.0.0.0/4 udp 1900 # UPnP ACCEPT $FW net udp {user=${users.transmission.name}} # BitTorrent ${net2fw} ACCEPT net $FW tcp ${toString transmission.settings.peer-port} # BitTorrent ACCEPT net $FW udp ${toString transmission.settings.peer-port} # BitTorrent ''; }; }; services.shorewall6 = { enable = true; configs = macros // { "shorewall6.conf" = '' ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"} # ## Custom config ### STARTUP_ENABLED=Yes ZONE2ZONE=2 ''; zones = '' # DOC: shorewall-zones(5) fw firewall net ipv6 wet ipv6 ''; interfaces = '' # DOC: shorewall-interfaces(5) ?FORMAT 2 net enp5s0 nosmurfs,tcpflags wet wlp4s0 nosmurfs,tcpflags ''; policy = '' # DOC: shorewall-policy(5) $FW all DROP net all DROP none wet all DROP none # WARNING: the following policy must be last all all REJECT none ''; rules = '' # DOC: shorewall-rules(5) #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED ?SECTION NEW ${fw2net} ${net2fw} ''; }; }; }