dan/liminix
1
0
Fork 5
Code

firewall rules: use @lan and @wan sets instead of ifnames

Browse Source 
we don't have anything yet to create or populate the sets
This commit is contained in:
Daniel Barlow 2025-02-03 19:51:08 +00:00
parent eff255fe12
commit c92aacc6fd
1 changed files with 26 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
modules/firewall/default-rules.nix
View File

@ -62,8 +62,8 @@ in {
# https://www.mankier.com/8/nft#Payload_Expressions-Raw_Payload_Expression # https://www.mankier.com/8/nft#Payload_Expressions-Raw_Payload_Expression
"@nh,192,8 eq 0xff @nh,204,4 le ${toString mcast-scope}") "@nh,192,8 eq 0xff @nh,204,4 le ${toString mcast-scope}")
(accept "oifname \"int\" iifname \"ppp0\" meta l4proto udp ct state established,related") (accept "oifname @lan iifname @wan meta l4proto udp ct state established,related")
(accept "iifname \"int\" oifname \"ppp0\" meta l4proto udp") (accept "iifname @lan oifname @wan meta l4proto udp")
(accept "meta l4proto icmpv6") (accept "meta l4proto icmpv6")
(accept "meta l4proto ah") (accept "meta l4proto ah")
@ -71,31 +71,31 @@ in {
# does this ever get used or does the preceding general udp accept # does this ever get used or does the preceding general udp accept
# already grab anything that might get here? # already grab anything that might get here?
(accept "oifname \"ppp0\" udp dport 500") # IKE Protocol [RFC5996]. haha zyxel (accept "oifname @wan udp dport 500") # IKE Protocol [RFC5996]. haha zyxel
(accept "ip6 nexthdr 139") # Host Identity Protocol (accept "ip6 nexthdr 139") # Host Identity Protocol
## FIXME no support yet for recs 27-30 Mobility Header ## FIXME no support yet for recs 27-30 Mobility Header
(accept "oifname \"int\" iifname \"ppp0\" meta l4proto tcp ct state established,related") (accept "oifname @lan iifname @wan meta l4proto tcp ct state established,related")
(accept "iifname \"int\" oifname \"ppp0\" meta l4proto tcp") (accept "iifname @lan oifname @wan meta l4proto tcp")
(accept "oifname \"int\" iifname \"ppp0\" meta l4proto sctp ct state established,related") (accept "oifname @lan iifname @wan meta l4proto sctp ct state established,related")
(accept "iifname \"int\" oifname \"ppp0\" meta l4proto sctp") (accept "iifname @lan oifname @wan meta l4proto sctp")
(accept "oifname \"int\" iifname \"ppp0\" meta l4proto dccp ct state established,related") (accept "oifname @lan iifname @wan meta l4proto dccp ct state established,related")
(accept "iifname \"int\" oifname \"ppp0\" meta l4proto dccp") (accept "iifname @lan oifname @wan meta l4proto dccp")
# we can allow all reasonable inbound, or we can use an explicit # we can allow all reasonable inbound, or we can use an explicit
# allowlist to enumerate the endpoints that are allowed to # allowlist to enumerate the endpoints that are allowed to
# accept inbound from the WAN # accept inbound from the WAN
(if allow-incoming (if allow-incoming
then accept "oifname \"int\" iifname \"ppp0\"" then accept "oifname @lan iifname @wan"
else "iifname \"ppp0\" jump incoming-allowed-ip6" else "iifname @wan jump incoming-allowed-ip6"
) )
# allow all outbound and any inbound that's part of a # allow all outbound and any inbound that's part of a
# recognised (outbound-initiated) flow # recognised (outbound-initiated) flow
(accept "oifname \"int\" iifname \"ppp0\" ct state established,related") (accept "oifname @lan iifname @wan ct state established,related")
(accept "iifname \"int\" oifname \"ppp0\" ") (accept "iifname @lan oifname @wan ")
"log prefix \"DENIED CHAIN=forward-ip6 \"" "log prefix \"DENIED CHAIN=forward-ip6 \""
]; ];
@ -128,15 +128,15 @@ in {
hook = "input"; hook = "input";
rules = [ rules = [
(accept "meta l4proto icmpv6") (accept "meta l4proto icmpv6")
"iifname int jump input-ip6-lan" "iifname @lan jump input-ip6-lan"
"iifname ppp0 jump input-ip6-wan" "iifname @wan jump input-ip6-wan"
(if allow-incoming (if allow-incoming
then accept "iifname \"ppp0\"" then accept "iifname @wan"
else "iifname \"ppp0\" jump incoming-allowed-ip6" else "iifname @wan jump incoming-allowed-ip6"
) )
# how does this even make sense in an input chain? # how does this even make sense in an input chain?
(accept "iifname \"ppp0\" ct state established,related") (accept "iifname @wan ct state established,related")
(accept "iifname \"int\" ") (accept "iifname @lan ")
"log prefix \"DENIED CHAIN=input-ip6 \"" "log prefix \"DENIED CHAIN=input-ip6 \""
]; ];
}; };
@ -146,7 +146,7 @@ in {
family = "ip6"; family = "ip6";
rules = [ rules = [
# this is where you put permitted incoming connections # this is where you put permitted incoming connections
# "oifname \"int\" ip6 daddr 2001:8b0:de3a:40de::e9d tcp dport 22" # "oifname @lan ip6 daddr 2001:8b0:de3a:40de::e9d tcp dport 22"
]; ];
}; };
@ -157,7 +157,7 @@ in {
policy = "accept"; policy = "accept";
family = "ip"; family = "ip";
rules = [ rules = [
"oifname \"ppp0\" masquerade" "oifname @wan masquerade"
]; ];
}; };
@ -208,9 +208,9 @@ in {
rules = [ rules = [
"iifname lo accept" "iifname lo accept"
"icmp type { echo-request, echo-reply } accept" "icmp type { echo-request, echo-reply } accept"
"iifname int jump input-ip4-lan" "iifname @lan jump input-ip4-lan"
"iifname ppp0 jump input-ip4-wan" "iifname @wan jump input-ip4-wan"
"iifname ppp0 jump incoming-allowed-ip4" "iifname @wan jump incoming-allowed-ip4"
"ct state established,related accept" "ct state established,related accept"
"log prefix \"DENIED CHAIN=input-ip4 \"" "log prefix \"DENIED CHAIN=input-ip4 \""
]; ];
@ -222,9 +222,9 @@ in {
policy = "drop"; policy = "drop";
hook = "forward"; hook = "forward";
rules = [ rules = [
"iifname \"int\" accept" "iifname @lan accept"
"ct state established,related accept" "ct state established,related accept"
"oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip4" "oifname @lan iifname @wan jump incoming-allowed-ip4"
"log prefix \"DENIED CHAIN=forward-ip4 \"" "log prefix \"DENIED CHAIN=forward-ip4 \""
]; ];
}; };