{ pkgs, lib, config, ... }: let inherit (builtins) hasAttr readFile; inherit (pkgs.lib) unlinesAttrs; inherit (config.services) shorewall shorewall6; zones4 = config.networking.zones; zones6 = config.networking.zones; "macro.Git" = '' ?FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP PARAM - - tcp 9418 ''; in { config = { services.shorewall = { enable = true; configs = { "shorewall.conf" = '' ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"} # ## Custom config ### STARTUP_ENABLED=Yes ZONE2ZONE=2 ''; zones = '' # DOC: shorewall-zones(5) fw firewall '' + unlinesAttrs (zone: _: "${zone} ipv4") zones4; interfaces = '' # DOC: shorewall-interfaces(5) ?FORMAT 2 net enp1s0 arp_filter,nosmurfs,routefilter,tcpflags maint enp2s0 arp_filter,nosmurfs,routefilter,tcpflags,dhcp unused enp3s0 arp_filter,nosmurfs,routefilter,tcpflags ''; /* + unlinesAttrs (zone: {iface, ...}: "${zone} ${iface} arp_filter,nosmurfs,routefilter,tcpflags") zones4 */ policy = '' # DOC: shorewall-policy(5) $FW all DROP '' + unlinesAttrs (zone: _: "${zone} all DROP none") zones4 + '' # XXX: the following policy must be last all all REJECT none ''; rules = '' # DOC: shorewall-rules(5) #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED ?SECTION NEW '' + lib.optionalString (hasAttr "lan" zones4) '' # ---------- # $FW -> lan # ---------- ACCEPT $FW lan:${zones4.lan.ipv4}/24 # ---------- # lan -> $FW # ---------- ACCEPT lan:${zones4.lan.ipv4}/24 $FW '' + lib.optionalString (hasAttr "net" zones4) '' # ---------- # $FW -> net # ---------- # By protocol Ping(ACCEPT) $FW net # By port DNS(ACCEPT) $FW net Git(ACCEPT) $FW net HTTP(ACCEPT) $FW net HTTPS(ACCEPT) $FW net SMTP(ACCEPT) $FW net SMTPS(ACCEPT) $FW net SSH(ACCEPT) $FW net # ---------- # net -> $FW # ---------- # By protocol Ping(ACCEPT) net $FW # By port #HTTPS(ACCEPT) net $FW DNS(ACCEPT) net $FW IMAPS(ACCEPT) net $FW POP3S(ACCEPT) net $FW SMTP(ACCEPT) net $FW SMTPS(ACCEPT) net $FW SSH(ACCEPT) net $FW ''; inherit "macro.Git"; }; }; services.shorewall6 = { enable = true; configs = { "shorewall6.conf" = '' ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"} # ## Custom config ### STARTUP_ENABLED=Yes ZONE2ZONE=2 ''; zones = '' # DOC: shorewall-zones(5) fw firewall '' + unlinesAttrs (zone: _: "${zone} ipv6") zones6; interfaces = '' # DOC: shorewall-interfaces(5) ?FORMAT 2 '' + unlinesAttrs (zone: {iface, ...}: "${zone} ${iface} nosmurfs,tcpflags") zones6; policy = '' # DOC: shorewall-policy(5) $FW all DROP '' + unlinesAttrs (zone: _: "${zone} all DROP none") zones6 + '' # XXX: the following policy must be last all all REJECT none ''; rules = '' # DOC: shorewall-rules(5) #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED ?SECTION NEW '' + lib.optionalString (hasAttr "lan" zones6) '' # ---------- # $FW -> lan # ---------- Ping(ACCEPT) $FW lan:fe80::/10 # ---------- # lan -> $FW # ---------- Ping(ACCEPT) lan:fe80::/10 $FW SSH(ACCEPT) lan:fe80::/10 $FW Git(ACCEPT) lan:fe80::/10 $FW ''; inherit "macro.Git"; }; }; }; }