-{ pkgs, lib, config, ... }:
+{ inputs, pkgs, lib, config, ... }:
let
- inherit (builtins) hasAttr readFile;
- inherit (pkgs.lib) unlinesAttrs;
inherit (config) networking;
- inherit (config.users) users groups;
+ inherit (config.users) users;
in
{
-networking.firewall.enable = false;
-security.lockKernelModules = false;
-systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
-systemd.services.nftables.serviceConfig.TimeoutStartSec = "20";
-networking.nftables = {
- enable = true;
- ruleset = lib.mkBefore (''
- table inet filter {
- include "${../../../networking/nftables/filter.txt}"
- # A set containing the udp port(s) to which SSDP replies are allowed.
- set ssdp_out {
- type inet_service
- timeout 5s
- }
- chain net2fw {
- #udp dport mdns ip6 daddr ff02::fb counter accept comment "Accept mDNS"
- #udp dport mdns ip daddr 224.0.0.251 counter accept comment "Accept mDNS"
- #jump non-internet
-
- #ct state new add @connlimit { ip saddr ct count over 20 } counter tcp reject with tcp reset
-
- # Some .nix append rules here with: add rule inet filter net2fw ...
- }
- chain fw2net {
- tcp dport { 80, 443 } counter accept comment "HTTP"
- udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
- tcp dport 1965 counter accept comment "Gemini"
- tcp dport 9418 counter accept comment "Git"
-
- # Some .nix append rules here with: add rule inet filter fw2net ...
- }
- chain wifi2fw {
- # Some .nix append rules here with: add rule inet filter wifi2fw ...
- }
- chain fw2wifi {
- # Some .nix append rules here with: add rule inet filter fw2wifi ...
- }
- chain fwd-wifi {
- # Some .nix append rules here with: add rule inet filter fwd-wifi ...
- }
- chain intra2fw {
- # Some .nix append rules here with: add rule inet filter intra2fw ...
- }
- chain fw2intra {
- # Some .nix append rules here with: add rule inet filter fw2intra ...
- }
- chain fwd-intra {
- # Some .nix append rules here with: add rule inet filter fwd-intra ...
- }
- chain extra2fw {
- # Some .nix append rules here with: add rule inet filter extra2fw ...
- }
-
- chain input {
- type filter hook input priority filter
- policy drop
-
- iifname lo accept
-
- jump check-tcp
- ct state { established, related } accept
- jump accept-connectivity-input
- ct state invalid counter drop
-
- # admin services
- tcp dport 22 counter accept comment "SSH"
- udp dport 60000-61000 counter accept comment "Mosh"
-
- # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
- }
- chain forward {
- type filter hook forward priority filter
- policy drop
-
- ct state { related, established } accept
- jump accept-connectivity-forward
- }
- chain output {
- type filter hook output priority filter
- policy drop
-
- oifname lo accept
-
- ct state { related, established } accept
- jump accept-connectivity-output
-
- tcp dport 22 counter accept comment "SSH"
-
- # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
- }
- }
- table inet nat {
- chain prerouting {
- type nat hook prerouting priority filter
- policy accept
- }
- chain postrouting {
- type nat hook postrouting priority srcnat
- policy accept
- }
- }
- '' + lib.optionalString (config.services.upnpc.redirections != []) (''
- # Create a rule for accepting any SSDP packets going to a remembered port.
- add rule inet filter net2fw udp dport @ssdp_out \
- counter accept comment "SSDP answer"
- add rule inet filter fw2net \
- skuid {${users.upnpc.name},${users.nsupdate.name}} \
- tcp dport 1900 \
- counter accept \
- comment "SSDP automatic opening"
- add rule inet filter fw2net \
- skuid {${users.upnpc.name},${users.nsupdate.name}} \
- ip daddr 239.255.255.250 udp dport 1900 \
- set add udp sport @ssdp_out \
- comment "SSDP automatic opening"
- add rule inet filter fw2net \
- skuid {${users.upnpc.name},${users.nsupdate.name}} \
- ip daddr 239.255.255.250 udp dport 1900 \
- counter accept comment "SSDP"
- '' + lib.optionalString config.networking.enableIPv6 ''
- add rule inet filter fw2net \
- skuid {${users.upnpc.name},${users.nsupdate.name}} \
- ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 \
- set add udp sport @ssdp_out comment "SSDP automatic opening"
- add rule inet filter fw2net \
- skuid {${users.upnpc.name},${users.nsupdate.name}} \
- ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 \
- counter accept comment "SSDP"
- '')
- );
-};
+ imports = [
+ (inputs.julm-nix + "/nixos/profiles/networking/nftables.nix")
+ ];
+ networking.firewall.enable = false;
+ systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
+ systemd.services.nftables.serviceConfig.TimeoutStartSec = "20";
+ networking.nftables = {
+ enable = true;
+ ruleset = ''
+ table inet filter {
+ chain input-net {
+ #udp dport mdns ip6 daddr ff02::fb counter accept comment "Accept mDNS"
+ #udp dport mdns ip daddr 224.0.0.251 counter accept comment "Accept mDNS"
+ tcp dport ssh counter accept comment "SSH"
+ udp dport 60000-61000 counter accept comment "Mosh"
+ }
+ chain output-net {
+ tcp dport { ssh, 2222 } counter accept comment "SSH"
+ tcp dport { http, https } counter accept comment "HTTP"
+ udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
+ tcp dport 1965 counter accept comment "Gemini"
+ tcp dport git counter accept comment "Git"
+ }
+ chain forward {
+ ct state { related, established } accept
+ jump output-connectivity
+ }
+ }
+ '';
+ };
}
sourcephile / git / sourcephile-nix.git / blobdiff