diff --git a/flake.lock b/flake.lock index 2dbda00..f6473bd 100644 --- a/flake.lock +++ b/flake.lock @@ -845,15 +845,16 @@ ] }, "locked": { - "lastModified": 1695065444, - "narHash": "sha256-c39mzyE1Z95bOjNfcCpENdQUn8lgTQFXNDeDguZnKs4=", + "lastModified": 1694993757, + "narHash": "sha256-aXjkz/3rSuJ78Ry0ekzcTrdwvdgJwFyblOSL/PdgbUo=", "owner": "thelegy", "repo": "nixos-nftables-firewall", - "rev": "f1d43094940379f8aa3b7ef750b48db48b622584", + "rev": "0680e272f389a8101f87dd82be0a8132c8eabddf", "type": "github" }, "original": { "owner": "thelegy", + "ref": "opt-in-rules", "repo": "nixos-nftables-firewall", "type": "github" } diff --git a/flake.nix b/flake.nix index a8bad41..a642019 100644 --- a/flake.nix +++ b/flake.nix @@ -56,7 +56,7 @@ }; nixos-nftables-firewall = { - url = "github:thelegy/nixos-nftables-firewall"; + url = "github:thelegy/nixos-nftables-firewall/opt-in-rules"; inputs.nixpkgs.follows = "nixpkgs"; }; diff --git a/hosts/kroma/net.nix b/hosts/kroma/net.nix index 0d279b5..cb52ffd 100644 --- a/hosts/kroma/net.nix +++ b/hosts/kroma/net.nix @@ -1,8 +1,4 @@ -{ - config, - lib, - ... -}: { +{config, ...}: { networking = { inherit (config.repo.secrets.local.networking) hostId; wireless.iwd.enable = true; @@ -37,8 +33,6 @@ }; networking.nftables.firewall = { - zones = lib.mkForce { - untrusted.interfaces = ["lan1" "wlan1"]; - }; + zones.untrusted.interfaces = ["lan1" "wlan1"]; }; } diff --git a/hosts/nom/net.nix b/hosts/nom/net.nix index 0d279b5..cb52ffd 100644 --- a/hosts/nom/net.nix +++ b/hosts/nom/net.nix @@ -1,8 +1,4 @@ -{ - config, - lib, - ... -}: { +{config, ...}: { networking = { inherit (config.repo.secrets.local.networking) hostId; wireless.iwd.enable = true; @@ -37,8 +33,6 @@ }; networking.nftables.firewall = { - zones = lib.mkForce { - untrusted.interfaces = ["lan1" "wlan1"]; - }; + zones.untrusted.interfaces = ["lan1" "wlan1"]; }; } diff --git a/hosts/sentinel/net.nix b/hosts/sentinel/net.nix index a1151a8..9ac8535 100644 --- a/hosts/sentinel/net.nix +++ b/hosts/sentinel/net.nix @@ -1,8 +1,4 @@ -{ - config, - lib, - ... -}: { +{config, ...}: { networking.hostId = config.repo.secrets.local.networking.hostId; networking.domain = config.repo.secrets.local.personalDomain; @@ -35,19 +31,16 @@ }; }; - # TODO mkForce nftables networking.nftables.firewall = { - zones = lib.mkForce { + zones = { untrusted.interfaces = ["wan"]; proxy-sentinel.interfaces = ["proxy-sentinel"]; }; - rules = lib.mkForce { - # Allow accessing nginx through the proxy - proxy-sentinel-to-local = { - from = ["proxy-sentinel"]; - to = ["local"]; - allowedTCPPorts = [80 443]; - }; + # Allow accessing nginx through the proxy + rules.proxy-sentinel-to-local = { + from = ["proxy-sentinel"]; + to = ["local"]; + allowedTCPPorts = [80 443]; }; }; diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix index fe83046..2b7903c 100644 --- a/hosts/ward/net.nix +++ b/hosts/ward/net.nix @@ -95,19 +95,15 @@ in { }; }; - # TODO mkForce nftables networking.nftables.firewall = { - zones = lib.mkForce { + snippets.nnf-icmp.ipv6Types = ["mld-listener-query" "nd-router-solicit"]; + + zones = { untrusted.interfaces = ["wan"]; lan.interfaces = ["lan-self"]; }; - rules = lib.mkForce { - icmp = { - # accept ipv6 router solicit and multicast listener discovery query - extraLines = ["ip6 nexthdr icmpv6 icmpv6 type { mld-listener-query, nd-router-solicit } accept"]; - }; - + rules = { masquerade = { from = ["lan"]; to = ["untrusted"]; diff --git a/hosts/zackbiene/net.nix b/hosts/zackbiene/net.nix index aa3a50d..ccb810d 100644 --- a/hosts/zackbiene/net.nix +++ b/hosts/zackbiene/net.nix @@ -46,10 +46,7 @@ in { }; }; - # TODO mkForce nftables networking.nftables.firewall = { - zones = lib.mkForce { - untrusted.interfaces = ["lan1"]; - }; + zones.untrusted.interfaces = ["lan1"]; }; } diff --git a/modules/config/nftables.nix b/modules/config/nftables.nix index a812b79..560d593 100644 --- a/modules/config/nftables.nix +++ b/modules/config/nftables.nix @@ -27,43 +27,28 @@ firewall = { enable = true; - - # TODO mkForce nftables - zones = lib.mkForce { - local.localZone = true; + localZoneName = "local"; + snippets = { + nnf-conntrack.enable = true; + nnf-drop.enable = true; + nnf-loopback.enable = true; + nnf-ssh.enable = true; + nnf-icmp = { + enable = true; + ipv6Types = ["echo-request" "destination-unreachable" "packet-too-big" "time-exceeded" "parameter-problem" "nd-router-advert" "nd-neighbor-solicit" "nd-neighbor-advert"]; + ipv4Types = ["echo-request" "destination-unreachable" "router-advertisement" "time-exceeded" "parameter-problem"]; + }; }; - rules = lib.mkForce { - icmp = { - early = true; - after = ["ct"]; - from = "all"; - to = ["local"]; - extraLines = [ - "ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept" - "ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept" - #"ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp dport 546 accept" # (dhcpv6) - ]; - }; + rules.untrusted-to-local = { + from = ["untrusted"]; + to = ["local"]; - ssh = { - early = true; - after = ["ct"]; - from = "all"; - to = ["local"]; - allowedTCPPorts = config.services.openssh.ports; - }; - - untrusted-to-local = { - from = ["untrusted"]; - to = ["local"]; - - inherit - (config.networking.firewall) - allowedTCPPorts - allowedUDPPorts - ; - }; + inherit + (config.networking.firewall) + allowedTCPPorts + allowedUDPPorts + ; }; }; }; diff --git a/modules/config/resolved.nix b/modules/config/resolved.nix index 9f10365..a50fa8b 100644 --- a/modules/config/resolved.nix +++ b/modules/config/resolved.nix @@ -60,17 +60,11 @@ ); in lib.mkIf (mdnsInterfaces != []) { - # TODO mkForce nftables - zones = lib.mkForce { - mdns.interfaces = mdnsInterfaces; - }; - - rules = lib.mkForce { - mdns-to-local = { - from = ["mdns"]; - to = ["local"]; - allowedUDPPorts = [5353]; - }; + zones.mdns.interfaces = mdnsInterfaces; + rules.mdns-to-local = { + from = ["mdns"]; + to = ["local"]; + allowedUDPPorts = [5353]; }; }; } diff --git a/modules/meta/microvms.nix b/modules/meta/microvms.nix index 2aa6431..d6dbeb2 100644 --- a/modules/meta/microvms.nix +++ b/modules/meta/microvms.nix @@ -190,11 +190,8 @@ }; }; - # TODO mkForce nftables networking.nftables.firewall = { - zones = mkForce { - untrusted.interfaces = [vmCfg.networking.mainLinkName]; - }; + zones.untrusted.interfaces = [vmCfg.networking.mainLinkName]; }; meta.wireguard = mkIf vmCfg.localWireguard { diff --git a/modules/meta/wireguard.nix b/modules/meta/wireguard.nix index 1959f30..9072ced 100644 --- a/modules/meta/wireguard.nix +++ b/modules/meta/wireguard.nix @@ -20,7 +20,6 @@ mapAttrsToList mdDoc mergeToplevelConfigs - mkForce mkIf mkOption net @@ -134,11 +133,9 @@ [wgCfg.server.port]; # Open the port in the given nftables rule if specified - # TODO mkForce nftables - networking.nftables.firewall.rules = mkForce ( + networking.nftables.firewall.rules = optionalAttrs (isServer && wgCfg.server.openFirewallRules != []) - (genAttrs wgCfg.server.openFirewallRules (_: {allowedUDPPorts = [wgCfg.server.port];})) - ); + (genAttrs wgCfg.server.openFirewallRules (_: {allowedUDPPorts = [wgCfg.server.port];})); age.secrets = concatAttrs (map