config/networking/services/firewall.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139

{ config, ... }:

let nets = config.personal.networking.networks;
in {
  boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = true; };

  networking = {
    nftables = {
      enable = true;
      ruleset = with nets; ''
        table ip filter {
          chain conntrack {
            ct state vmap { established : accept \
                          , related     : accept \
                          , invalid     : drop   }
          }
          chain dhcp {
            # https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#Operation
            ip protocol udp \
              udp sport 68 \
              udp dport 67 \
              accept comment "dhcp"
          }
          chain dns {
            # https://en.wikipedia.org/wiki/Domain_Name_System#Transport_protocols
            ip protocol { tcp, udp } \
              th sport 53 \
              th dport 53 \
              accept comment "dns"
          }
          chain kdeconnect {
            # https://userbase.kde.org/KDEConnect#I_have_two_devices_running_KDE_Connect_on_the_same_network,_but_they_can't_see_each_other
            ip protocol { tcp, udp } \
              th sport 1714-1764 \
              th dport 1714-1764 \
              accept comment "kdeconnect"
          }
          chain sonos_app {
            # https://support.sonos.com/en-us/article/configure-your-firewall-to-work-with-sonos
            # https://en.community.sonos.com/advanced-setups-229000/changed-udp-tcp-ports-for-sonos-app-needed-after-update-to-s2-6842454
            ip protocol . th sport . th dport \
              { tcp . { 1400, 3400, 3401, 3500 } \
                    . { 1400, 3400, 3401, 3500 } \
              , udp . 1900-1901 \
                    . 1900-1901 } \
              accept comment "sonos: app control"
          }
          chain sonos {
            # https://support.sonos.com/en-us/article/configure-your-firewall-to-work-with-sonos
            # https://en.community.sonos.com/advanced-setups-229000/changed-udp-tcp-ports-for-sonos-app-needed-after-update-to-s2-6842454
            ip protocol . th sport . th dport vmap \
              { tcp . 4444 . 4444 : comment "sonos: system updates" \
              , udp . 6969 . 6969 : comment "sonos: setup"          \
              , udp . { 32412, 32414 } \
                    . { 32412, 32414 } : comment "sonos" } accept
          }
          chain ssh {
            ip protocol tcp \
              tcp sport 22 \
              tcp dport 22 \
              accept comment "ssh"
          }
          chain steam {
            # https://help.steampowered.com/en/faqs/view/2EA8-4D75-DA21-31EB
            ip protocol . th sport . th dport vmap \
              { udp . >= 0        . 27000-27100     :      \
                comment "steam: client: game traffic"      \
              , udp . 27031-27036 . >= 0            :      \
                comment "steam: client: remote play"       \
              , tcp . 27036       . >= 0            :      \
                comment "steam: client: remote play"       \
              , udp . >= 0        . 4380            :      \
                comment "steam: client"                    \
              , tcp . 27015       . >= 0            :      \
                comment "steam: servers: SRCDS Rcon port"  \
              , udp . 27015       . >= 0            :      \
                comment "steam: servers: gameplay traffic" \
              , udp . >= 0        . { 3478        \
                                    , 4379        \
                                    , 4380        \
                                    , 27014-27030 } :      \
                comment "steam: p2p, voice chat"           }
              accept
          }
          chain syncthing {
            # https://docs.syncthing.net/users/firewall.html
            ip protocol { tcp, udp } \
              th sport 22000 \
              th dport 22000 \
              accept comment "syncthing"
            ip protocol udp \
              udp sport 21027 \
              udp dport 21027 \
              accept comment "syncthing: discovery broadcasts"
          }

          chain inbound {
            type filter hook input priority 0; policy drop;
            icmp type echo-request limit rate 5/second accept
            jump conntrack
            meta iifname vmap \
              { lo               : accept                      \
              , ${lan.interface} : drop                        \
              , ${wan.interface} : jump dns jump dhcp jump ssh \
              , ${iot.interface} : jump dns jump dhcp }
          }

          chain forward {
            type filter hook forward priority 0; policy drop;
            jump conntrack
            meta oifname ${lan.interface} accept
            meta iifname ${wan.interface} meta oifname ${wan.interface} \
              jump kdeconnect jump syncthing
            meta iifname ${iot.interface} meta oifname ${wan.interface} \
              jump sonos_app
          }
        }

        table ip nat {
          chain postrouting {
            type nat hook postrouting priority 100; policy accept;
            meta oifname ${lan.interface} snat to ${lan.machines.self.address} 
          }
        }

        table ip6 global6 {
         chain input {
            type filter hook input priority 0; policy drop;
          }
          chain forward {
            type filter hook forward priority 0; policy drop;
          }
        }
      '';
    };

    firewall.enable = false;
  };
}