mirror of
https://github.com/oddlama/nix-config.git
synced 2025-10-11 07:10:39 +02:00
feat(nftables): update to new nftables firewall branch
This commit is contained in:
parent
051fdc24cb
commit
1f9a28c3db
11 changed files with 48 additions and 100 deletions
|
@ -27,43 +27,28 @@
|
|||
|
||||
firewall = {
|
||||
enable = true;
|
||||
|
||||
# TODO mkForce nftables
|
||||
zones = lib.mkForce {
|
||||
local.localZone = true;
|
||||
localZoneName = "local";
|
||||
snippets = {
|
||||
nnf-conntrack.enable = true;
|
||||
nnf-drop.enable = true;
|
||||
nnf-loopback.enable = true;
|
||||
nnf-ssh.enable = true;
|
||||
nnf-icmp = {
|
||||
enable = true;
|
||||
ipv6Types = ["echo-request" "destination-unreachable" "packet-too-big" "time-exceeded" "parameter-problem" "nd-router-advert" "nd-neighbor-solicit" "nd-neighbor-advert"];
|
||||
ipv4Types = ["echo-request" "destination-unreachable" "router-advertisement" "time-exceeded" "parameter-problem"];
|
||||
};
|
||||
};
|
||||
|
||||
rules = lib.mkForce {
|
||||
icmp = {
|
||||
early = true;
|
||||
after = ["ct"];
|
||||
from = "all";
|
||||
to = ["local"];
|
||||
extraLines = [
|
||||
"ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept"
|
||||
"ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept"
|
||||
#"ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp dport 546 accept" # (dhcpv6)
|
||||
];
|
||||
};
|
||||
rules.untrusted-to-local = {
|
||||
from = ["untrusted"];
|
||||
to = ["local"];
|
||||
|
||||
ssh = {
|
||||
early = true;
|
||||
after = ["ct"];
|
||||
from = "all";
|
||||
to = ["local"];
|
||||
allowedTCPPorts = config.services.openssh.ports;
|
||||
};
|
||||
|
||||
untrusted-to-local = {
|
||||
from = ["untrusted"];
|
||||
to = ["local"];
|
||||
|
||||
inherit
|
||||
(config.networking.firewall)
|
||||
allowedTCPPorts
|
||||
allowedUDPPorts
|
||||
;
|
||||
};
|
||||
inherit
|
||||
(config.networking.firewall)
|
||||
allowedTCPPorts
|
||||
allowedUDPPorts
|
||||
;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -60,17 +60,11 @@
|
|||
);
|
||||
in
|
||||
lib.mkIf (mdnsInterfaces != []) {
|
||||
# TODO mkForce nftables
|
||||
zones = lib.mkForce {
|
||||
mdns.interfaces = mdnsInterfaces;
|
||||
};
|
||||
|
||||
rules = lib.mkForce {
|
||||
mdns-to-local = {
|
||||
from = ["mdns"];
|
||||
to = ["local"];
|
||||
allowedUDPPorts = [5353];
|
||||
};
|
||||
zones.mdns.interfaces = mdnsInterfaces;
|
||||
rules.mdns-to-local = {
|
||||
from = ["mdns"];
|
||||
to = ["local"];
|
||||
allowedUDPPorts = [5353];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -190,11 +190,8 @@
|
|||
};
|
||||
};
|
||||
|
||||
# TODO mkForce nftables
|
||||
networking.nftables.firewall = {
|
||||
zones = mkForce {
|
||||
untrusted.interfaces = [vmCfg.networking.mainLinkName];
|
||||
};
|
||||
zones.untrusted.interfaces = [vmCfg.networking.mainLinkName];
|
||||
};
|
||||
|
||||
meta.wireguard = mkIf vmCfg.localWireguard {
|
||||
|
|
|
@ -20,7 +20,6 @@
|
|||
mapAttrsToList
|
||||
mdDoc
|
||||
mergeToplevelConfigs
|
||||
mkForce
|
||||
mkIf
|
||||
mkOption
|
||||
net
|
||||
|
@ -134,11 +133,9 @@
|
|||
[wgCfg.server.port];
|
||||
|
||||
# Open the port in the given nftables rule if specified
|
||||
# TODO mkForce nftables
|
||||
networking.nftables.firewall.rules = mkForce (
|
||||
networking.nftables.firewall.rules =
|
||||
optionalAttrs (isServer && wgCfg.server.openFirewallRules != [])
|
||||
(genAttrs wgCfg.server.openFirewallRules (_: {allowedUDPPorts = [wgCfg.server.port];}))
|
||||
);
|
||||
(genAttrs wgCfg.server.openFirewallRules (_: {allowedUDPPorts = [wgCfg.server.port];}));
|
||||
|
||||
age.secrets =
|
||||
concatAttrs (map
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue