diff options
Diffstat (limited to 'config/networking/services/firewall.nix')
| -rw-r--r-- | config/networking/services/firewall.nix | 99 |
1 files changed, 63 insertions, 36 deletions
diff --git a/config/networking/services/firewall.nix b/config/networking/services/firewall.nix index 30b1a93..2dcf452 100644 --- a/config/networking/services/firewall.nix +++ b/config/networking/services/firewall.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, lib, ... }: let nets = config.personal.networking.networks; in { @@ -38,21 +38,30 @@ in { chain sonos_app { # https://support.sonos.com/en-us/article/configure-your-firewall-to-work-with-sonos # https://en.community.sonos.com/advanced-setups-229000/changed-udp-tcp-ports-for-sonos-app-needed-after-update-to-s2-6842454 - ip protocol . th sport . th dport \ - { tcp . { 1400, 3400, 3401, 3500 } \ - . { 1400, 3400, 3401, 3500 } \ - , udp . 1900-1901 \ - . 1900-1901 } \ + ip protocol tcp \ + tcp sport { 1400, 3400, 3401, 3500 } \ + tcp dport { 1400, 3400, 3401, 3500 } \ + accept comment "sonos: app control" + ip protocol udp \ + udp sport 1900-1901 \ + udp dport 1900-1901 \ accept comment "sonos: app control" } chain sonos { # https://support.sonos.com/en-us/article/configure-your-firewall-to-work-with-sonos # https://en.community.sonos.com/advanced-setups-229000/changed-udp-tcp-ports-for-sonos-app-needed-after-update-to-s2-6842454 - ip protocol . th sport . th dport vmap \ - { tcp . 4444 . 4444 : comment "sonos: system updates" \ - , udp . 6969 . 6969 : comment "sonos: setup" \ - , udp . { 32412, 32414 } \ - . { 32412, 32414 } : comment "sonos" } accept + ip protocol tcp \ + tcp sport 4444 \ + tcp dport 4444 \ + accept comment "sonos: system updates" + ip protocol udp \ + udp sport 6969 \ + udp dport 6969 \ + accept comment "sonos: setup" + ip protocol udp \ + udp sport { 32413, 32414 } \ + udp dport { 32412, 32414 } \ + accept comment "sonos" } chain ssh { ip protocol tcp \ @@ -62,25 +71,27 @@ in { } chain steam { # https://help.steampowered.com/en/faqs/view/2EA8-4D75-DA21-31EB - ip protocol . th sport . th dport vmap \ - { udp . >= 0 . 27000-27100 : \ - comment "steam: client: game traffic" \ - , udp . 27031-27036 . >= 0 : \ - comment "steam: client: remote play" \ - , tcp . 27036 . >= 0 : \ - comment "steam: client: remote play" \ - , udp . >= 0 . 4380 : \ - comment "steam: client" \ - , tcp . 27015 . >= 0 : \ - comment "steam: servers: SRCDS Rcon port" \ - , udp . 27015 . >= 0 : \ - comment "steam: servers: gameplay traffic" \ - , udp . >= 0 . { 3478 \ - , 4379 \ - , 4380 \ - , 27014-27030 } : \ - comment "steam: p2p, voice chat" } - accept + ip protocol { udp, tcp } \ + th dport 27015-27050 \ + accept comment "steam: login, download" + ip protocol udp \ + udp dport 27000-27100 \ + accept comment "steam: client: game traffic" + ip protocol . th sport \ + { udp . 27031-27036, tcp . 27036 } \ + accept comment "steam: client: remote play" + ip protocol udp \ + udp dport 4380 \ + accept comment "steam: client" + ip protocol tcp \ + tcp sport 27015 \ + accept comment "steam: servers: SRCDS Rcon port" + ip protocol udp \ + udp sport 27015 \ + accept comment "steam: servers: gameplay traffic" + ip protocol udp \ + udp dport { 3478, 4379, 4380, 27014-27030 } \ + accept comment "steam: p2p, voice chat" } chain syncthing { # https://docs.syncthing.net/users/firewall.html @@ -94,6 +105,15 @@ in { accept comment "syncthing: discovery broadcasts" } + chain in_wan { + jump dns + jump dhcp + jump ssh + } + chain in_iot { + jump dns + jump dhcp + } chain inbound { type filter hook input priority 0; policy drop; icmp type echo-request limit rate 5/second accept @@ -101,25 +121,32 @@ in { meta iifname vmap \ { lo : accept \ , ${lan.interface} : drop \ - , ${wan.interface} : jump dns jump dhcp jump ssh \ - , ${iot.interface} : jump dns jump dhcp } + , ${wan.interface} : goto in_wan \ + , ${iot.interface} : goto in_iot } } + chain wan_wan { + jump kdeconnect + jump syncthing + } + chain iot_wan { + jump sonos_app + } chain forward { type filter hook forward priority 0; policy drop; jump conntrack meta oifname ${lan.interface} accept meta iifname ${wan.interface} meta oifname ${wan.interface} \ - jump kdeconnect jump syncthing + goto wan_wan meta iifname ${iot.interface} meta oifname ${wan.interface} \ - jump sonos_app + goto iot_wan } } table ip nat { chain postrouting { type nat hook postrouting priority 100; policy accept; - meta oifname ${lan.interface} snat to ${lan.machines.self.address} + meta oifname ${lan.interface} snat to ${lan.machines.self.address} } } @@ -134,6 +161,6 @@ in { ''; }; - firewall.enable = false; + firewall.enable = lib.mkForce false; }; } |