forked from mirrors_public/oddlama_nix-config
68 lines
1.5 KiB
Nix
68 lines
1.5 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
...
|
|
}:
|
|
{
|
|
networking.nftables = {
|
|
stopRuleset = lib.mkDefault ''
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority filter; policy drop;
|
|
ct state invalid drop
|
|
ct state {established, related} accept
|
|
|
|
iifname lo accept
|
|
meta l4proto ipv6-icmp accept
|
|
meta l4proto icmp accept
|
|
ip protocol igmp accept
|
|
tcp dport ${toString (lib.head config.services.openssh.ports)} accept
|
|
}
|
|
chain forward {
|
|
type filter hook forward priority filter; policy drop;
|
|
}
|
|
chain output {
|
|
type filter hook output priority filter; policy accept;
|
|
}
|
|
}
|
|
'';
|
|
|
|
firewall = {
|
|
enable = true;
|
|
localZoneName = "local";
|
|
snippets = {
|
|
nnf-common.enable = false;
|
|
nnf-conntrack.enable = true;
|
|
nnf-drop.enable = true;
|
|
nnf-loopback.enable = true;
|
|
nnf-ssh.enable = true;
|
|
};
|
|
|
|
rules.untrusted-to-local = {
|
|
from = [ "untrusted" ];
|
|
to = [ "local" ];
|
|
|
|
inherit (config.networking.firewall)
|
|
allowedTCPPorts
|
|
allowedTCPPortRanges
|
|
allowedUDPPorts
|
|
allowedUDPPortRanges
|
|
;
|
|
};
|
|
|
|
rules.icmp-and-igmp = {
|
|
after = [
|
|
"ct"
|
|
"ssh"
|
|
];
|
|
from = "all";
|
|
to = [ "local" ];
|
|
extraLines = [
|
|
"meta l4proto ipv6-icmp accept"
|
|
"meta l4proto icmp accept"
|
|
"ip protocol igmp accept"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
}
|