diff options
| author | quentin@aristote.fr <quentin@aristote.fr> | 2023-04-13 16:55:57 +0200 |
|---|---|---|
| committer | quentin@aristote.fr <quentin@aristote.fr> | 2023-04-13 16:55:57 +0200 |
| commit | 93758f328e21d5ccc1f8e90011e04382b330bf38 (patch) | |
| tree | b1a4d1cf906b5a0786fae09ed9e5ffcdaa753b89 /config/networking/services/firewall.nix | |
| parent | 3d3d9dc685e90fb745eb0d6633e78bf578a4423f (diff) | |
networking: firewall: stricter rules
Diffstat (limited to 'config/networking/services/firewall.nix')
| -rw-r--r-- | config/networking/services/firewall.nix | 127 |
1 files changed, 97 insertions, 30 deletions
diff --git a/config/networking/services/firewall.nix b/config/networking/services/firewall.nix index 1d8a297..30b1a93 100644 --- a/config/networking/services/firewall.nix +++ b/config/networking/services/firewall.nix @@ -8,50 +8,118 @@ in { nftables = { enable = true; ruleset = with nets; '' - table ip global { - chain inbound_lan { - icmp type echo-request limit rate 5/second accept + table ip filter { + chain conntrack { + ct state vmap { established : accept \ + , related : accept \ + , invalid : drop } } - chain inbound_wan { - icmp type echo-request limit rate 5/second accept - ip protocol . th dport { tcp . 22 \ - , udp . 53 \ - , tcp . 53 \ - , udp . 67 } accept + chain dhcp { + # https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#Operation + ip protocol udp \ + udp sport 68 \ + udp dport 67 \ + accept comment "dhcp" } - chain inbound_iot { - icmp type echo-request limit rate 5/second accept - ip protocol . th dport { udp . 53 \ - , tcp . 53 \ - , udp . 67 } accept + chain dns { + # https://en.wikipedia.org/wiki/Domain_Name_System#Transport_protocols + ip protocol { tcp, udp } \ + th sport 53 \ + th dport 53 \ + accept comment "dns" + } + chain kdeconnect { + # https://userbase.kde.org/KDEConnect#I_have_two_devices_running_KDE_Connect_on_the_same_network,_but_they_can't_see_each_other + ip protocol { tcp, udp } \ + th sport 1714-1764 \ + th dport 1714-1764 \ + accept comment "kdeconnect" + } + chain sonos_app { + # https://support.sonos.com/en-us/article/configure-your-firewall-to-work-with-sonos + # https://en.community.sonos.com/advanced-setups-229000/changed-udp-tcp-ports-for-sonos-app-needed-after-update-to-s2-6842454 + ip protocol . th sport . th dport \ + { tcp . { 1400, 3400, 3401, 3500 } \ + . { 1400, 3400, 3401, 3500 } \ + , udp . 1900-1901 \ + . 1900-1901 } \ + accept comment "sonos: app control" + } + chain sonos { + # https://support.sonos.com/en-us/article/configure-your-firewall-to-work-with-sonos + # https://en.community.sonos.com/advanced-setups-229000/changed-udp-tcp-ports-for-sonos-app-needed-after-update-to-s2-6842454 + ip protocol . th sport . th dport vmap \ + { tcp . 4444 . 4444 : comment "sonos: system updates" \ + , udp . 6969 . 6969 : comment "sonos: setup" \ + , udp . { 32412, 32414 } \ + . { 32412, 32414 } : comment "sonos" } accept + } + chain ssh { + ip protocol tcp \ + tcp sport 22 \ + tcp dport 22 \ + accept comment "ssh" } + chain steam { + # https://help.steampowered.com/en/faqs/view/2EA8-4D75-DA21-31EB + ip protocol . th sport . th dport vmap \ + { udp . >= 0 . 27000-27100 : \ + comment "steam: client: game traffic" \ + , udp . 27031-27036 . >= 0 : \ + comment "steam: client: remote play" \ + , tcp . 27036 . >= 0 : \ + comment "steam: client: remote play" \ + , udp . >= 0 . 4380 : \ + comment "steam: client" \ + , tcp . 27015 . >= 0 : \ + comment "steam: servers: SRCDS Rcon port" \ + , udp . 27015 . >= 0 : \ + comment "steam: servers: gameplay traffic" \ + , udp . >= 0 . { 3478 \ + , 4379 \ + , 4380 \ + , 27014-27030 } : \ + comment "steam: p2p, voice chat" } + accept + } + chain syncthing { + # https://docs.syncthing.net/users/firewall.html + ip protocol { tcp, udp } \ + th sport 22000 \ + th dport 22000 \ + accept comment "syncthing" + ip protocol udp \ + udp sport 21027 \ + udp dport 21027 \ + accept comment "syncthing: discovery broadcasts" + } + chain inbound { type filter hook input priority 0; policy drop; icmp type echo-request limit rate 5/second accept - ct state vmap { { established \ - , related } : accept \ - , invalid : drop } - meta iifname vmap { lo : accept \ - , ${lan.interface} : jump inbound_lan \ - , ${wan.interface} : jump inbound_wan \ - , ${iot.interface} : jump inbound_iot } + jump conntrack + meta iifname vmap \ + { lo : accept \ + , ${lan.interface} : drop \ + , ${wan.interface} : jump dns jump dhcp jump ssh \ + , ${iot.interface} : jump dns jump dhcp } } chain forward { - type filter hook input priority 0; policy drop; - ct state vmap { { established \ - , related } : accept \ - , invalid : drop } + type filter hook forward priority 0; policy drop; + jump conntrack meta oifname ${lan.interface} accept - meta iifname ${wan.interface} accept - meta iifname ${iot.interface} meta oifname ${iot.interface} accept + meta iifname ${wan.interface} meta oifname ${wan.interface} \ + jump kdeconnect jump syncthing + meta iifname ${iot.interface} meta oifname ${wan.interface} \ + jump sonos_app } } table ip nat { chain postrouting { type nat hook postrouting priority 100; policy accept; - meta oifname ${lan.interface} masquerade + meta oifname ${lan.interface} snat to ${lan.machines.self.address} } } @@ -62,11 +130,10 @@ in { chain forward { type filter hook forward priority 0; policy drop; } - } + } ''; }; firewall.enable = false; }; } - |