diff options
| author | quentin@aristote.fr <quentin@aristote.fr> | 2023-05-18 13:39:06 +0200 |
|---|---|---|
| committer | quentin@aristote.fr <quentin@aristote.fr> | 2023-05-20 20:13:45 +0200 |
| commit | 925fc182e5ea9b87c3a62e80f5a20be4e827cd3b (patch) | |
| tree | dc3772ee2a298fd6f39b8ab355aaecd8d5da593e /config/networking/services/firewall.nix | |
| parent | 001f53d081b78c5145cd7449f08f783bb56f35e3 (diff) | |
config: networking: hostapd: disable low-level bridging
Diffstat (limited to 'config/networking/services/firewall.nix')
| -rw-r--r-- | config/networking/services/firewall.nix | 165 |
1 files changed, 0 insertions, 165 deletions
diff --git a/config/networking/services/firewall.nix b/config/networking/services/firewall.nix deleted file mode 100644 index a0aa281..0000000 --- a/config/networking/services/firewall.nix +++ /dev/null @@ -1,165 +0,0 @@ -{ config, lib, ... }: - -let nets = config.personal.networking.networks; -in { - boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = true; }; - - networking = { - nftables = { - enable = true; - ruleset = with nets; '' - table ip filter { - chain conntrack { - ct state vmap { established : accept \ - , related : accept \ - , invalid : drop } - } - chain dhcp { - # https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#Operation - ip protocol udp \ - udp sport 68 \ - udp dport 67 \ - accept comment "dhcp" - } - chain dns { - # https://en.wikipedia.org/wiki/Domain_Name_System#Transport_protocols - ip protocol { tcp, udp } \ - th sport 53 \ - th dport 53 \ - accept comment "dns" - } - chain kdeconnect { - # https://userbase.kde.org/KDEConnect#I_have_two_devices_running_KDE_Connect_on_the_same_network,_but_they_can't_see_each_other - ip protocol { tcp, udp } \ - th sport 1714-1764 \ - th dport 1714-1764 \ - accept comment "kdeconnect" - } - chain sonos_app { - # https://support.sonos.com/en-us/article/configure-your-firewall-to-work-with-sonos - # https://en.community.sonos.com/advanced-setups-229000/changed-udp-tcp-ports-for-sonos-app-needed-after-update-to-s2-6842454 - ip protocol tcp \ - tcp sport { 1400, 3400, 3401, 3500 } \ - tcp dport { 1400, 3400, 3401, 3500 } \ - accept comment "sonos: app control" - ip protocol udp \ - udp sport 1900-1901 \ - udp dport 1900-1901 \ - accept comment "sonos: app control" - } - chain sonos { - # https://support.sonos.com/en-us/article/configure-your-firewall-to-work-with-sonos - # https://en.community.sonos.com/advanced-setups-229000/changed-udp-tcp-ports-for-sonos-app-needed-after-update-to-s2-6842454 - ip protocol tcp \ - tcp sport 4444 \ - tcp dport 4444 \ - accept comment "sonos: system updates" - ip protocol udp \ - udp sport 6969 \ - udp dport 6969 \ - accept comment "sonos: setup" - ip protocol udp \ - udp sport { 32413, 32414 } \ - udp dport { 32412, 32414 } \ - accept comment "sonos" - } - chain ssh { - ip protocol tcp \ - tcp dport 22 \ - accept comment "ssh" - } - chain steam { - # https://help.steampowered.com/en/faqs/view/2EA8-4D75-DA21-31EB - ip protocol { udp, tcp } \ - th dport 27015-27050 \ - accept comment "steam: login, download" - ip protocol udp \ - udp dport 27000-27100 \ - accept comment "steam: client: game traffic" - ip protocol . th sport \ - { udp . 27031-27036, tcp . 27036 } \ - accept comment "steam: client: remote play" - ip protocol udp \ - udp dport 4380 \ - accept comment "steam: client" - ip protocol tcp \ - tcp sport 27015 \ - accept comment "steam: servers: SRCDS Rcon port" - ip protocol udp \ - udp sport 27015 \ - accept comment "steam: servers: gameplay traffic" - ip protocol udp \ - udp dport { 3478, 4379, 4380, 27014-27030 } \ - accept comment "steam: p2p, voice chat" - } - chain syncthing { - # https://docs.syncthing.net/users/firewall.html - ip protocol { tcp, udp } \ - th sport 22000 \ - th dport 22000 \ - accept comment "syncthing" - ip protocol udp \ - udp sport 21027 \ - udp dport 21027 \ - accept comment "syncthing: discovery broadcasts" - } - - chain in_wan { - jump dns - jump dhcp - jump ssh - } - chain in_iot { - jump dns - jump dhcp - } - chain inbound { - type filter hook input priority 0; policy drop; - icmp type echo-request limit rate 5/second accept - jump conntrack - meta iifname vmap \ - { lo : accept \ - , ${lan.interface} : drop \ - , ${wan.interface} : goto in_wan \ - , ${iot.interface} : goto in_iot } - } - - chain wan_wan { - jump kdeconnect - jump syncthing - } - chain iot_wan { - jump sonos_app - } - chain forward { - type filter hook forward priority 0; policy drop; - jump conntrack - meta oifname ${lan.interface} accept - meta iifname ${wan.interface} meta oifname ${wan.interface} \ - goto wan_wan - meta iifname ${iot.interface} meta oifname ${wan.interface} \ - goto iot_wan - } - } - - table ip nat { - chain postrouting { - type nat hook postrouting priority 100; policy accept; - meta oifname ${lan.interface} snat to ${lan.machines.self.address} - } - } - - table ip6 global6 { - chain input { - type filter hook input priority 0; policy drop; - } - chain forward { - type filter hook forward priority 0; policy drop; - } - } - ''; - }; - - firewall.enable = lib.mkForce false; - }; -} |