chain fwd-intra {
# Some .nix append rules here with: add rule inet filter fwd-intra ...
}
- chain icmpv6 {
+ chain extra2fw {
+ # Some .nix append rules here with: add rule inet filter extra2fw ...
+ }
+ chain accept-icmpv6 {
# Traffic That Must Not Be Dropped
# https://tools.ietf.org/html/rfc4890#section-4.4.1
- ip6 nexthdr ipv6-icmp icmpv6 type destination-unreachable counter accept
- ip6 nexthdr ipv6-icmp icmpv6 type packet-too-big counter accept
- ip6 nexthdr ipv6-icmp icmpv6 type time-exceeded counter accept
- ip6 nexthdr ipv6-icmp icmpv6 type parameter-problem counter accept
+ icmpv6 type destination-unreachable counter accept
+ icmpv6 type packet-too-big counter accept
+ icmpv6 type time-exceeded counter accept
+ icmpv6 type parameter-problem counter accept
# Address Configuration and Router Selection messages
# (must be received with hop limit = 255)
- ip6 nexthdr ipv6-icmp icmpv6 type nd-router-solicit ip6 hoplimit 255 counter accept
+ icmpv6 type nd-router-solicit ip6 hoplimit 255 counter accept
ip6 nexthdr ipv6-icmp icmpv6 type nd-router-advert ip6 hoplimit 255 counter accept
- ip6 nexthdr ipv6-icmp icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter accept
- ip6 nexthdr ipv6-icmp icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter accept
- # redirect messages provide a significant security risk,
- # and administrators should take a case-by-case approach
- # to whether firewalls, routers in general,
- # and other nodes should accept these messages
- #ip6 nexthdr ipv6-icmp icmpv6 type redirect ip6 hoplimit 255 counter accept
- ip6 nexthdr ipv6-icmp icmpv6 type ind-neighbor-solicit ip6 hoplimit 255 counter accept
- ip6 nexthdr ipv6-icmp icmpv6 type ind-neighbor-advert ip6 hoplimit 255 counter accept
+ icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter accept
+ icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter accept
+ icmpv6 type nd-redirect ip6 hoplimit 255 log level warn prefix "icmpv6: nd-redirect: " counter drop
+ icmpv6 type ind-neighbor-solicit ip6 hoplimit 255 counter accept
+ icmpv6 type ind-neighbor-advert ip6 hoplimit 255 counter accept
# Link-local multicast receiver notification messages
# (must have link-local source address)
- ip6 nexthdr ipv6-icmp icmpv6 type mld-listener-query ip6 saddr fe80::/10 counter accept
- ip6 nexthdr ipv6-icmp icmpv6 type mld-listener-report ip6 saddr fe80::/10 counter accept
- ip6 nexthdr ipv6-icmp icmpv6 type mld-listener-done ip6 saddr fe80::/10 counter accept
- ip6 nexthdr ipv6-icmp icmpv6 type mld2-listener-report ip6 saddr fe80::/10 counter accept
+ icmpv6 type mld-listener-query ip6 saddr fe80::/10 counter accept
+ icmpv6 type mld-listener-report ip6 saddr fe80::/10 counter accept
+ icmpv6 type mld-listener-done ip6 saddr fe80::/10 counter accept
+ # https://tools.ietf.org/html/rfc3810 Multicast Listener Discovery Version 2 (MLDv2) for IPv6
+ icmpv6 type mld2-listener-report ip6 saddr fe80::/10 counter accept
# SEND Certificate Path notification messages
# (must be received with hop limit = 255)
- ip6 nexthdr ipv6-icmp icmpv6 type 148 ip6 hoplimit 255 counter accept comment "certificate-path-solicitation"
- ip6 nexthdr ipv6-icmp icmpv6 type 149 ip6 hoplimit 255 counter accept comment "certificate-path-advertisement"
+ icmpv6 type 148 ip6 hoplimit 255 counter accept comment "certificate-path-solicitation"
+ icmpv6 type 149 ip6 hoplimit 255 counter accept comment "certificate-path-advertisement"
# Multicast Router Discovery messages
# (must have link-local source address and hop limit = 1)
- ip6 nexthdr ipv6-icmp icmpv6 type 151 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-advertisement"
- ip6 nexthdr ipv6-icmp icmpv6 type 152 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-solicitation"
- ip6 nexthdr ipv6-icmp icmpv6 type 153 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-termination"
+ icmpv6 type 151 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-advertisement"
+ icmpv6 type 152 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-solicitation"
+ icmpv6 type 153 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-termination"
}
chain input {
- type filter hook input priority 0
+ type filter hook input priority filter
policy drop
iifname lo accept
ct state { established, related } accept
+ # Connectivity checking messages
# (multicast) ping
ip protocol icmp icmp type echo-reply counter accept
# (multicast) ping
ip6 nexthdr ipv6-icmp icmpv6 type echo-reply counter accept
+
+ #ip6 daddr fe80::/64 udp dport 546 counter accept comment "DHCPv6"
''}
ct state invalid counter drop
#ip udp sport 67 udp dport 68 counter accept comment "DHCP"
${lib.optionalString networking.enableIPv6 ''
- # Traffic That Must Not Be Dropped
- # https://tools.ietf.org/html/rfc4890#section-4.4.1
- ip6 nexthdr ipv6-icmp icmpv6 type destination-unreachable counter accept
- ip6 nexthdr ipv6-icmp icmpv6 type packet-too-big counter accept
- ip6 nexthdr ipv6-icmp icmpv6 type time-exceeded counter accept
- ip6 nexthdr ipv6-icmp icmpv6 type parameter-problem counter accept
+ ip6 nexthdr ipv6-icmp jump accept-icmpv6
# Connectivity checking messages
- ip6 nexthdr ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 20 packets goto ping-flood
- ip6 nexthdr ipv6-icmp icmpv6 type echo-request counter accept
- # echo-reply is handled before invalid packets to allow multicast ping
- # which do not have an associated connection.
-
- # Address Configuration and Router Selection messages
- # (must be received with hop limit = 255)
- ip6 nexthdr ipv6-icmp icmpv6 type nd-router-solicit ip6 hoplimit 255 counter accept
- ip6 nexthdr ipv6-icmp icmpv6 type nd-router-advert ip6 hoplimit 255 counter accept
- ip6 nexthdr ipv6-icmp icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter accept
- ip6 nexthdr ipv6-icmp icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter accept
- # redirect messages provide a significant security risk,
- # and administrators should take a case-by-case approach
- # to whether firewalls, routers in general,
- # and other nodes should accept these messages
- #ip6 nexthdr ipv6-icmp icmpv6 type redirect ip6 hoplimit 255 counter accept
- ip6 nexthdr ipv6-icmp icmpv6 type ind-neighbor-solicit ip6 hoplimit 255 counter accept
- ip6 nexthdr ipv6-icmp icmpv6 type ind-neighbor-advert ip6 hoplimit 255 counter accept
-
- # Link-local multicast receiver notification messages
- # (must have link-local source address)
- ip6 nexthdr ipv6-icmp icmpv6 type mld-listener-query ip6 saddr fe80::/10 counter accept
- ip6 nexthdr ipv6-icmp icmpv6 type mld-listener-report ip6 saddr fe80::/10 counter accept
- ip6 nexthdr ipv6-icmp icmpv6 type mld-listener-done ip6 saddr fe80::/10 counter accept
- ip6 nexthdr ipv6-icmp icmpv6 type mld2-listener-report ip6 saddr fe80::/10 counter accept
-
- # SEND Certificate Path notification messages
- # (must be received with hop limit = 255)
- ip6 nexthdr ipv6-icmp icmpv6 type 148 ip6 hoplimit 255 counter accept comment "certificate-path-solicitation"
- ip6 nexthdr ipv6-icmp icmpv6 type 149 ip6 hoplimit 255 counter accept comment "certificate-path-advertisement"
+ icmpv6 type echo-request counter accept
+ # echo-reply is handled before invalid because of multicast
- # Multicast Router Discovery messages
- # (must have link-local source address and hop limit = 1)
- ip6 nexthdr ipv6-icmp icmpv6 type 151 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-advertisement"
- ip6 nexthdr ipv6-icmp icmpv6 type 152 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-solicitation"
- ip6 nexthdr ipv6-icmp icmpv6 type 153 ip6 saddr fe80::/10 ip6 hoplimit 1 counter accept comment "multicast-router-termination"
+ ip6 nexthdr ipv6-icmp log level err prefix "net2fw: icmpv6: catch all: " counter reject
ip6 daddr ff02::fb udp dport 5353 counter accept comment "mDNS"
ip6 daddr ff02::f udp dport 1900 counter accept comment "UPnP"
# Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
}
chain forward {
- type filter hook forward priority 0
+ type filter hook forward priority filter
policy drop
+ ct state { related, established } accept
+
ip protocol icmp icmp type destination-unreachable counter accept
ip protocol icmp icmp type time-exceeded counter accept
ip protocol icmp icmp type parameter-problem counter accept
ip6 nexthdr ipv6-icmp icmpv6 type time-exceeded counter accept
ip6 nexthdr ipv6-icmp icmpv6 type parameter-problem counter accept
+ # Connectivity checking messages
ip6 nexthdr ipv6-icmp icmpv6 type echo-request counter accept
ip6 nexthdr ipv6-icmp icmpv6 type echo-reply counter accept
''}
}
chain output {
- type filter hook output priority 0
+ type filter hook output priority filter
policy drop
oifname lo accept
ct state { related, established } accept
- ct state invalid counter drop
ip protocol icmp counter accept
ip daddr 224.0.0.0/4 udp dport 1900 counter accept comment "UPnP"
+ meta skuid 0 udp dport 33434-33523 counter accept comment "traceroute"
${lib.optionalString networking.enableIPv6 ''
+ ip6 nexthdr ipv6-icmp jump accept-icmpv6
+
# Connectivity checking messages
ip6 nexthdr ipv6-icmp icmpv6 type echo-request counter accept
ip6 nexthdr ipv6-icmp icmpv6 type echo-reply counter accept
- jump icmpv6
-
+ ip6 nexthdr ipv6-icmp log level err prefix "fw2net: icmpv6: catch all: " counter reject
- ip6 nexthdr udp ip6 saddr fe80::/10 udp sport 547 ip6 daddr fe80::/10 udp dport 546 counter accept comment "DHCPv6"
+ ip6 daddr ff02::1:2/64 udp dport 547 counter accept comment "DHCPv6"
''}
+ ct state invalid log level warn prefix "fw2net: invalid: " counter drop
+
tcp dport 22 counter accept comment "SSH"
# Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
}
}
+ table inet nat {
+ chain prerouting {
+ type nat hook prerouting priority filter
+ policy accept
+ }
+ chain postrouting {
+ type nat hook postrouting priority srcnat
+ policy accept
+ }
+ }
'';
};
}
sourcephile / git / sourcephile-nix.git / blobdiff