summaryrefslogtreecommitdiff
path: root/config/networking/services/firewall.nix
diff options
context:
space:
mode:
Diffstat (limited to 'config/networking/services/firewall.nix')
-rw-r--r--config/networking/services/firewall.nix165
1 files changed, 0 insertions, 165 deletions
diff --git a/config/networking/services/firewall.nix b/config/networking/services/firewall.nix
deleted file mode 100644
index a0aa281..0000000
--- a/config/networking/services/firewall.nix
+++ /dev/null
@@ -1,165 +0,0 @@
-{ config, lib, ... }:
-
-let nets = config.personal.networking.networks;
-in {
- boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = true; };
-
- networking = {
- nftables = {
- enable = true;
- ruleset = with nets; ''
- table ip filter {
- chain conntrack {
- ct state vmap { established : accept \
- , related : accept \
- , invalid : drop }
- }
- chain dhcp {
- # https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#Operation
- ip protocol udp \
- udp sport 68 \
- udp dport 67 \
- accept comment "dhcp"
- }
- chain dns {
- # https://en.wikipedia.org/wiki/Domain_Name_System#Transport_protocols
- ip protocol { tcp, udp } \
- th sport 53 \
- th dport 53 \
- accept comment "dns"
- }
- chain kdeconnect {
- # https://userbase.kde.org/KDEConnect#I_have_two_devices_running_KDE_Connect_on_the_same_network,_but_they_can't_see_each_other
- ip protocol { tcp, udp } \
- th sport 1714-1764 \
- th dport 1714-1764 \
- accept comment "kdeconnect"
- }
- chain sonos_app {
- # https://support.sonos.com/en-us/article/configure-your-firewall-to-work-with-sonos
- # https://en.community.sonos.com/advanced-setups-229000/changed-udp-tcp-ports-for-sonos-app-needed-after-update-to-s2-6842454
- ip protocol tcp \
- tcp sport { 1400, 3400, 3401, 3500 } \
- tcp dport { 1400, 3400, 3401, 3500 } \
- accept comment "sonos: app control"
- ip protocol udp \
- udp sport 1900-1901 \
- udp dport 1900-1901 \
- accept comment "sonos: app control"
- }
- chain sonos {
- # https://support.sonos.com/en-us/article/configure-your-firewall-to-work-with-sonos
- # https://en.community.sonos.com/advanced-setups-229000/changed-udp-tcp-ports-for-sonos-app-needed-after-update-to-s2-6842454
- ip protocol tcp \
- tcp sport 4444 \
- tcp dport 4444 \
- accept comment "sonos: system updates"
- ip protocol udp \
- udp sport 6969 \
- udp dport 6969 \
- accept comment "sonos: setup"
- ip protocol udp \
- udp sport { 32413, 32414 } \
- udp dport { 32412, 32414 } \
- accept comment "sonos"
- }
- chain ssh {
- ip protocol tcp \
- tcp dport 22 \
- accept comment "ssh"
- }
- chain steam {
- # https://help.steampowered.com/en/faqs/view/2EA8-4D75-DA21-31EB
- ip protocol { udp, tcp } \
- th dport 27015-27050 \
- accept comment "steam: login, download"
- ip protocol udp \
- udp dport 27000-27100 \
- accept comment "steam: client: game traffic"
- ip protocol . th sport \
- { udp . 27031-27036, tcp . 27036 } \
- accept comment "steam: client: remote play"
- ip protocol udp \
- udp dport 4380 \
- accept comment "steam: client"
- ip protocol tcp \
- tcp sport 27015 \
- accept comment "steam: servers: SRCDS Rcon port"
- ip protocol udp \
- udp sport 27015 \
- accept comment "steam: servers: gameplay traffic"
- ip protocol udp \
- udp dport { 3478, 4379, 4380, 27014-27030 } \
- accept comment "steam: p2p, voice chat"
- }
- chain syncthing {
- # https://docs.syncthing.net/users/firewall.html
- ip protocol { tcp, udp } \
- th sport 22000 \
- th dport 22000 \
- accept comment "syncthing"
- ip protocol udp \
- udp sport 21027 \
- udp dport 21027 \
- accept comment "syncthing: discovery broadcasts"
- }
-
- chain in_wan {
- jump dns
- jump dhcp
- jump ssh
- }
- chain in_iot {
- jump dns
- jump dhcp
- }
- chain inbound {
- type filter hook input priority 0; policy drop;
- icmp type echo-request limit rate 5/second accept
- jump conntrack
- meta iifname vmap \
- { lo : accept \
- , ${lan.interface} : drop \
- , ${wan.interface} : goto in_wan \
- , ${iot.interface} : goto in_iot }
- }
-
- chain wan_wan {
- jump kdeconnect
- jump syncthing
- }
- chain iot_wan {
- jump sonos_app
- }
- chain forward {
- type filter hook forward priority 0; policy drop;
- jump conntrack
- meta oifname ${lan.interface} accept
- meta iifname ${wan.interface} meta oifname ${wan.interface} \
- goto wan_wan
- meta iifname ${iot.interface} meta oifname ${wan.interface} \
- goto iot_wan
- }
- }
-
- table ip nat {
- chain postrouting {
- type nat hook postrouting priority 100; policy accept;
- meta oifname ${lan.interface} snat to ${lan.machines.self.address}
- }
- }
-
- table ip6 global6 {
- chain input {
- type filter hook input priority 0; policy drop;
- }
- chain forward {
- type filter hook forward priority 0; policy drop;
- }
- }
- '';
- };
-
- firewall.enable = lib.mkForce false;
- };
-}
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-25 05:43:26 +0000