config: firewall: fix sonos

author: quentin@aristote.fr <quentin@aristote.fr> 2023-06-17 20:16:31 +0200
committer: quentin@aristote.fr <quentin@aristote.fr> 2023-06-17 23:08:25 +0200
commit: 6035a5e7ad00ecbe79627ff1e36c6e43e17eadbc (patch)
tree: 90d1786d04001877bace801b30d895a1bcd3fbe2
parent: 22e870761ed881d9bd57ce13e72f5efac580c6f3 (diff)
3 files changed, 43 insertions, 48 deletions
diff --git a/config/networking/default.nix b/config/networking/default.nix
index 3751a02..3d8c464 100644
--- a/config/networking/default.nix
+++ b/config/networking/default.nix
@@ -71,7 +71,11 @@ in {
           device = "wlp5s0";
           interface = "iot";
           subnet = "192.168.3";
-          machines = { self.address = "192.168.3.1"; };
+          machines = {
+            self.address = "192.168.3.1";
+            sonos-move.address = "192.168.3.28";
+            sonos-play1.address = "192.168.3.29";
+          };
         };
       };
     };
diff --git a/config/networking/services/firewall/ruleset.nix b/config/networking/services/firewall/ruleset.nix
index ef110ef..7184de7 100644
--- a/config/networking/services/firewall/ruleset.nix
+++ b/config/networking/services/firewall/ruleset.nix
@@ -67,15 +67,19 @@ let
     '';
     # https://support.sonos.com/en-us/article/configure-your-firewall-to-work-with-sonos
     # https://en.community.sonos.com/advanced-setups-229000/changed-udp-tcp-ports-for-sonos-app-needed-after-update-to-s2-6842454
-    sonos-app = ''
-      ip protocol tcp \
-        tcp dport { 1400, 1443, 3400, 3401, 3500, 4444 } \
-        accept comment "sonos: app control"
-      ip protocol udp \
-        udp dport { 1901, 6969, 32412, 32414 } \
-        accept comment "sonos: app control"
-    '';
-    #   # https://docs.syncthing.net/users/firewall.html
+    sonos = {
+      controller-player = ''
+        ip protocol tcp \
+          tcp dport { 1400, 1443, 4444 } \
+          accept comment "sonos: app control: system update"
+      '';
+      player-controller = ''
+        ip protocol tcp \
+          tcp dport { 3400, 3401, 3500 } \
+          accept comment "sonos: app control: player to controller"
+      '';
+    };
+    # https://docs.syncthing.net/users/firewall.html
     syncthing = ''
       ip protocol tcp   \
         tcp sport 22000 \
@@ -95,28 +99,27 @@ in {
         };
       };
       chains = {
-        wan_in.rules = with rulesCommon; dns + dhcp + ssh;
+        wan_in.rules = with rulesCommon; dns + dhcp + ssh + ssdp;
         iot_in.rules = with rulesCommon; dns + dhcp + igmp;
-        lan_in.rules = rulesCommon.igmp;
         input = makeBaseChain "filter" "input" {
           rules = with rulesCommon;
             conntrack + ping + ''
-              meta iifname vmap { lo               : accept      \
-                                , ${nets.lan.interface} : goto lan_in \
+              meta iifname vmap { lo                    : accept      \
                                 , ${nets.wan.interface} : goto wan_in \
                                 , ${nets.iot.interface} : goto iot_in }
             '';
         };
-        lan_wan.rules = with rulesCommon; sonos-app;
+        iot_wan.rules = rulesCommon.sonos.player-controller;
+        wan_iot.rules = with rulesCommon; sonos.controller-player + ssdp;
         forward = makeBaseChain "filter" "forward" {
           rules = with rulesCommon;
             ''
               ip protocol { udp, tcp } flow add @default
             '' + conntrack + ''
               meta oifname ${nets.lan.interface} accept
-              meta iifname ${nets.lan.interface} \
-                meta oifname ${nets.wan.interface} \
-                goto lan_wan
+              meta iifname . meta oifname vmap \
+                { ${nets.wan.interface} . ${nets.iot.interface} : goto wan_iot \
+                , ${nets.iot.interface} . ${nets.wan.interface} : goto iot_wan }
             '';
         };
       };
@@ -147,11 +150,14 @@ in {
   bridge = {
     filter = makeTable {
       chains = {
-        iot_wan.rules = rulesCommon.sonos-app;
-        wan_iot.rules = with rulesCommon; igmp + ssdp + sonos-app + ''
-          ip protocol udp udp sport 5353 udp dport 5353 accept comment mdns
-          log level debug prefix waniot
-        '';
+        iot_iot.rules = with rulesCommon;
+          ''
+            ip saddr { ${nets.iot.machines.sonos-move.address}  \
+                     , ${nets.iot.machines.sonos-play1.address} } \
+            ip daddr { ${nets.iot.machines.sonos-move.address}  \
+                     , ${nets.iot.machines.sonos-play1.address} } \
+              accept comment "sonos: player to player"         
+          '' + ssdp + sonos.player-controller + sonos.controller-player;
         wan_wan.rules = with rulesCommon; syncthing + kdeconnect;
         forward = makeBaseChain "filter" "forward" {
           rules = with rulesCommon;
@@ -160,8 +166,7 @@ in {
             '' + ping + ''
               meta ibrname . meta obrname vmap \
                 { ${nets.wan.interface} . ${nets.wan.interface} : goto wan_wan \
-                , ${nets.wan.interface} . ${nets.iot.interface} : goto wan_iot \
-                , ${nets.iot.interface} . ${nets.iot.interface} : goto wan_iot }
+                , ${nets.iot.interface} . ${nets.iot.interface} : goto iot_iot }
             '';
         };
       };
@@ -169,20 +174,6 @@ in {
   };
 }
 
-# chain sonos {
-#   ip protocol tcp \
-#     tcp sport 4444 \
-#     tcp dport 4444 \
-#     accept comment "sonos: system updates"
-#     ip protocol udp \
-#     udp sport 6969 \
-#     udp dport 6969 \
-#     accept comment "sonos: setup"
-#     ip protocol udp \
-#     udp sport { 32413, 32414 } \
-#     udp dport { 32412, 32414 } \
-#     accept comment "sonos"
-# }
 # chain steam {
 #   # https://help.steampowered.com/en/faqs/view/2EA8-4D75-DA21-31EB
 #   ip protocol { udp, tcp } \
diff --git a/flake.lock b/flake.lock
index 1b095c3..3c195c4 100644
--- a/flake.lock
+++ b/flake.lock
@@ -24,11 +24,11 @@
         "nur": "nur"
       },
       "locked": {
-        "lastModified": 1685793683,
-        "narHash": "sha256-cm14871fdWn1G6oneOk9hkoaJUyep40bOXkxGKsKp0A=",
+        "lastModified": 1685874473,
+        "narHash": "sha256-b3Cc2bfyk4Qm+ySvvu7ZfKQgQh/LHEaV/pL1/w14In8=",
         "owner": "qaristote",
         "repo": "my-nixpkgs",
-        "rev": "b5c31329bfbf8833bf58610a5df419ef375f7be5",
+        "rev": "4acf950ae2a90c97b5fcc2c65ff95b25238cca62",
         "type": "github"
       },
       "original": {
@@ -39,11 +39,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1684899633,
-        "narHash": "sha256-NtwerXX8UFsoNy6k+DukJMriWtEjQtMU/Urbff2O2Dg=",
+        "lastModified": 1686838567,
+        "narHash": "sha256-aqKCUD126dRlVSKV6vWuDCitfjFrZlkwNuvj5LtjRRU=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "4cc688ee711159b9bcb5a367be44007934e1a49d",
+        "rev": "429f232fe1dc398c5afea19a51aad6931ee0fb89",
         "type": "github"
       },
       "original": {
@@ -67,11 +67,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1685701911,
-        "narHash": "sha256-qoBUwecp2SgY8Haa0b13t3pu5hHcdSHFAtQl18tB5bw=",
+        "lastModified": 1686968143,
+        "narHash": "sha256-NkXmT9ArJBeu56jo/agURQ1pvqrx0nUHi30yM7sttK8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6d5bc0380bec4392109e0f60928b424ce9b179c7",
+        "rev": "56799517d0537a6f3e91a5171af8c4bfd82c092e",
         "type": "github"
       },
       "original": {
author	quentin@aristote.fr <quentin@aristote.fr>	2023-06-17 20:16:31 +0200
committer	quentin@aristote.fr <quentin@aristote.fr>	2023-06-17 23:08:25 +0200
commit	6035a5e7ad00ecbe79627ff1e36c6e43e17eadbc (patch)
tree	90d1786d04001877bace801b30d895a1bcd3fbe2
parent	22e870761ed881d9bd57ce13e72f5efac580c6f3 (diff)