diff options
Diffstat (limited to 'config/networking/services/firewall')
| -rw-r--r-- | config/networking/services/firewall/default.nix | 31 | ||||
| -rw-r--r-- | config/networking/services/firewall/ruleset.nix | 160 |
2 files changed, 191 insertions, 0 deletions
diff --git a/config/networking/services/firewall/default.nix b/config/networking/services/firewall/default.nix new file mode 100644 index 0000000..878e7cc --- /dev/null +++ b/config/networking/services/firewall/default.nix @@ -0,0 +1,31 @@ +{ config, lib, ... }: + +let + # { any } -> (string -> any -> [ string ]) -> string + mapAttrsStrings = attrs: f: lib.concatStrings (lib.mapAttrsToList f attrs); + bracket = title: content: + '' + ${title} { + '' + content + '' + } + ''; +in { + boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = true; }; + + networking = { + nftables = { + enable = true; + ruleset = mapAttrsStrings + (import ./ruleset.nix config.personal.networking.networks) + (family: tables: + mapAttrsStrings tables (tableName: chains: + bracket "table ${family} ${tableName}" (mapAttrsStrings chains + (chainName: chain: + bracket "chain ${chainName}" (lib.optionalString (chain ? base) + (with chain.base; '' + type ${type} hook ${hook} priority ${priority}; policy ${policy}; + '') + chain.rules))))); + }; + firewall.enable = lib.mkForce false; + }; +} diff --git a/config/networking/services/firewall/ruleset.nix b/config/networking/services/firewall/ruleset.nix new file mode 100644 index 0000000..b3e75c7 --- /dev/null +++ b/config/networking/services/firewall/ruleset.nix @@ -0,0 +1,160 @@ +{ lan, wan, iot, ... }: + +let + makeBaseChain = type: hook: + { priority ? type, policy ? "drop", rules ? "" }: { + base = { inherit type hook priority policy; }; + inherit rules; + }; + rulesCommon = { + conntrack = '' + ct state vmap { established : accept \ + , related : accept \ + , invalid : drop } + ''; + # https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#Operation + dhcp = '' + ip protocol udp \ + udp sport 68 \ + udp dport 67 \ + accept comment dhcp + ''; + # https://en.wikipedia.org/wiki/Domain_Name_System#Transport_protocols + dns = '' + ip protocol { tcp, udp } \ + th sport 53 \ + th dport 53 \ + accept comment dns + ''; + # https://userbase.kde.org/KDEConnect#I_have_two_devices_running_KDE_Connect_on_the_same_network,_but_they_can't_see_each_other + kdeconnect = '' + ip protocol { tcp, udp } \ + th dport 1714-1764 \ + accept comment kdeconnect + ''; + ping = '' + icmp type echo-request limit rate 5/second accept + ''; + ssh = '' + ip protocol tcp \ + tcp dport 22 \ + accept comment ssh + ''; + # # https://docs.syncthing.net/users/firewall.html + syncthing = '' + ip protocol tcp \ + tcp sport 22000 \ + tcp dport 22000 \ + accept comment syncthing + ip protocol udp \ + udp dport 21027 \ + accept comment "syncthing: discovery broadcast" + ''; + }; +in { + ip = { + filter = { + wan_in.rules = with rulesCommon; dns + dhcp + ssh; + iot_in.rules = with rulesCommon; dns + dhcp; + input = makeBaseChain "filter" "input" { + rules = with rulesCommon; + conntrack + ping + '' + meta iifname vmap { lo : accept \ + , ${lan.interface} : drop \ + , ${wan.interface} : goto wan_in \ + , ${iot.interface} : goto iot_in } + ''; + }; + forward = makeBaseChain "filter" "forward" { + rules = with rulesCommon; + conntrack + '' + meta oifname ${lan.interface} accept + ''; + }; + }; + nat = { + postrouting = makeBaseChain "nat" "postrouting" { + priority = "srcnat"; + policy = "accept"; + rules = '' + meta oifname ${lan.interface} snat to ${lan.machines.self.address} + ''; + }; + }; + }; + + ip6 = { + global6 = { + input = makeBaseChain "filter" "input" { }; + forward = makeBaseChain "filter" "forward" { }; + }; + }; + + bridge = { + filter = { + wan_wan.rules = with rulesCommon; syncthing + kdeconnect; + forward = makeBaseChain "filter" "forward" { + rules = with rulesCommon; + conntrack + '' + ether type vmap { ip6 : drop, arp : accept } + '' + ping + '' + meta ibrname . meta obrname vmap \ + { ${wan.interface} . ${wan.interface} : goto wan_wan } + ''; + }; + }; + }; +} + +# chain sonos_app { +# # https://support.sonos.com/en-us/article/configure-your-firewall-to-work-with-sonos +# # https://en.community.sonos.com/advanced-setups-229000/changed-udp-tcp-ports-for-sonos-app-needed-after-update-to-s2-6842454 +# ip protocol tcp \ +# tcp sport { 1400, 3400, 3401, 3500 } \ +# tcp dport { 1400, 3400, 3401, 3500 } \ +# accept comment "sonos: app control" +# ip protocol udp \ +# udp sport 1900-1901 \ +# udp dport 1900-1901 \ +# accept comment "sonos: app control" +# } +# chain sonos { +# # https://support.sonos.com/en-us/article/configure-your-firewall-to-work-with-sonos +# # https://en.community.sonos.com/advanced-setups-229000/changed-udp-tcp-ports-for-sonos-app-needed-after-update-to-s2-6842454 +# ip protocol tcp \ +# tcp sport 4444 \ +# tcp dport 4444 \ +# accept comment "sonos: system updates" +# ip protocol udp \ +# udp sport 6969 \ +# udp dport 6969 \ +# accept comment "sonos: setup" +# ip protocol udp \ +# udp sport { 32413, 32414 } \ +# udp dport { 32412, 32414 } \ +# accept comment "sonos" +# } +# chain steam { +# # https://help.steampowered.com/en/faqs/view/2EA8-4D75-DA21-31EB +# ip protocol { udp, tcp } \ +# th dport 27015-27050 \ +# accept comment "steam: login, download" +# ip protocol udp \ +# udp dport 27000-27100 \ +# accept comment "steam: client: game traffic" +# ip protocol . th sport \ +# { udp . 27031-27036, tcp . 27036 } \ +# accept comment "steam: client: remote play" +# ip protocol udp \ +# udp dport 4380 \ +# accept comment "steam: client" +# ip protocol tcp \ +# tcp sport 27015 \ +# accept comment "steam: servers: SRCDS Rcon port" +# ip protocol udp \ +# udp sport 27015 \ +# accept comment "steam: servers: gameplay traffic" +# ip protocol udp \ +# udp dport { 3478, 4379, 4380, 27014-27030 } \ +# accept comment "steam: p2p, voice chat" +# } |