summaryrefslogtreecommitdiff
path: root/config/networking
diff options
context:
space:
mode:
Diffstat (limited to 'config/networking')
-rw-r--r--config/networking/services/firewall.nix127
1 files changed, 97 insertions, 30 deletions
diff --git a/config/networking/services/firewall.nix b/config/networking/services/firewall.nix
index 1d8a297..30b1a93 100644
--- a/config/networking/services/firewall.nix
+++ b/config/networking/services/firewall.nix
@@ -8,50 +8,118 @@ in {
nftables = {
enable = true;
ruleset = with nets; ''
- table ip global {
- chain inbound_lan {
- icmp type echo-request limit rate 5/second accept
+ table ip filter {
+ chain conntrack {
+ ct state vmap { established : accept \
+ , related : accept \
+ , invalid : drop }
}
- chain inbound_wan {
- icmp type echo-request limit rate 5/second accept
- ip protocol . th dport { tcp . 22 \
- , udp . 53 \
- , tcp . 53 \
- , udp . 67 } accept
+ chain dhcp {
+ # https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#Operation
+ ip protocol udp \
+ udp sport 68 \
+ udp dport 67 \
+ accept comment "dhcp"
}
- chain inbound_iot {
- icmp type echo-request limit rate 5/second accept
- ip protocol . th dport { udp . 53 \
- , tcp . 53 \
- , udp . 67 } accept
+ chain dns {
+ # https://en.wikipedia.org/wiki/Domain_Name_System#Transport_protocols
+ ip protocol { tcp, udp } \
+ th sport 53 \
+ th dport 53 \
+ accept comment "dns"
+ }
+ chain kdeconnect {
+ # https://userbase.kde.org/KDEConnect#I_have_two_devices_running_KDE_Connect_on_the_same_network,_but_they_can't_see_each_other
+ ip protocol { tcp, udp } \
+ th sport 1714-1764 \
+ th dport 1714-1764 \
+ accept comment "kdeconnect"
+ }
+ chain sonos_app {
+ # https://support.sonos.com/en-us/article/configure-your-firewall-to-work-with-sonos
+ # https://en.community.sonos.com/advanced-setups-229000/changed-udp-tcp-ports-for-sonos-app-needed-after-update-to-s2-6842454
+ ip protocol . th sport . th dport \
+ { tcp . { 1400, 3400, 3401, 3500 } \
+ . { 1400, 3400, 3401, 3500 } \
+ , udp . 1900-1901 \
+ . 1900-1901 } \
+ accept comment "sonos: app control"
+ }
+ chain sonos {
+ # https://support.sonos.com/en-us/article/configure-your-firewall-to-work-with-sonos
+ # https://en.community.sonos.com/advanced-setups-229000/changed-udp-tcp-ports-for-sonos-app-needed-after-update-to-s2-6842454
+ ip protocol . th sport . th dport vmap \
+ { tcp . 4444 . 4444 : comment "sonos: system updates" \
+ , udp . 6969 . 6969 : comment "sonos: setup" \
+ , udp . { 32412, 32414 } \
+ . { 32412, 32414 } : comment "sonos" } accept
+ }
+ chain ssh {
+ ip protocol tcp \
+ tcp sport 22 \
+ tcp dport 22 \
+ accept comment "ssh"
}
+ chain steam {
+ # https://help.steampowered.com/en/faqs/view/2EA8-4D75-DA21-31EB
+ ip protocol . th sport . th dport vmap \
+ { udp . >= 0 . 27000-27100 : \
+ comment "steam: client: game traffic" \
+ , udp . 27031-27036 . >= 0 : \
+ comment "steam: client: remote play" \
+ , tcp . 27036 . >= 0 : \
+ comment "steam: client: remote play" \
+ , udp . >= 0 . 4380 : \
+ comment "steam: client" \
+ , tcp . 27015 . >= 0 : \
+ comment "steam: servers: SRCDS Rcon port" \
+ , udp . 27015 . >= 0 : \
+ comment "steam: servers: gameplay traffic" \
+ , udp . >= 0 . { 3478 \
+ , 4379 \
+ , 4380 \
+ , 27014-27030 } : \
+ comment "steam: p2p, voice chat" }
+ accept
+ }
+ chain syncthing {
+ # https://docs.syncthing.net/users/firewall.html
+ ip protocol { tcp, udp } \
+ th sport 22000 \
+ th dport 22000 \
+ accept comment "syncthing"
+ ip protocol udp \
+ udp sport 21027 \
+ udp dport 21027 \
+ accept comment "syncthing: discovery broadcasts"
+ }
+
chain inbound {
type filter hook input priority 0; policy drop;
icmp type echo-request limit rate 5/second accept
- ct state vmap { { established \
- , related } : accept \
- , invalid : drop }
- meta iifname vmap { lo : accept \
- , ${lan.interface} : jump inbound_lan \
- , ${wan.interface} : jump inbound_wan \
- , ${iot.interface} : jump inbound_iot }
+ jump conntrack
+ meta iifname vmap \
+ { lo : accept \
+ , ${lan.interface} : drop \
+ , ${wan.interface} : jump dns jump dhcp jump ssh \
+ , ${iot.interface} : jump dns jump dhcp }
}
chain forward {
- type filter hook input priority 0; policy drop;
- ct state vmap { { established \
- , related } : accept \
- , invalid : drop }
+ type filter hook forward priority 0; policy drop;
+ jump conntrack
meta oifname ${lan.interface} accept
- meta iifname ${wan.interface} accept
- meta iifname ${iot.interface} meta oifname ${iot.interface} accept
+ meta iifname ${wan.interface} meta oifname ${wan.interface} \
+ jump kdeconnect jump syncthing
+ meta iifname ${iot.interface} meta oifname ${wan.interface} \
+ jump sonos_app
}
}
table ip nat {
chain postrouting {
type nat hook postrouting priority 100; policy accept;
- meta oifname ${lan.interface} masquerade
+ meta oifname ${lan.interface} snat to ${lan.machines.self.address}
}
}
@@ -62,11 +130,10 @@ in {
chain forward {
type filter hook forward priority 0; policy drop;
}
- }
+ }
'';
};
firewall.enable = false;
};
}
-
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-25 05:13:43 +0000