hosts/thought/firewall.nix at c4daa635e94f56507a5154a4c927149121412c96 · pyrox.dev/nix

pyrox.dev / nix

My Nix Configuration

nix / hosts / thought / firewall.nix

at c4daa635e94f56507a5154a4c927149121412c96 1.6 kB view raw

 1{
 2  networking.firewall = {
 3    enable = true;
 4    allowedTCPPorts = [ 8000 ];
 5    allowedUDPPorts = [ 34197 ];
 6  };
 7  services.ferm = {
 8    enable = true;
 9    config = ''
10      domain ip table filter chain INPUT proto icmp ACCEPT;
11      domain ip6 table filter chain INPUT proto (ipv6-icmp icmp) ACCEPT;
12      domain (ip ip6) table filter {
13        chain INPUT {
14          policy DROP;
15          interface lo ACCEPT;
16          interface tailscale0 ACCEPT;
17          interface wg42_+ ACCEPT;
18          interface wg0 ACCEPT;
19          proto tcp dport (22 25 53 80 143 389 443 465 587 636 993 4190 6900 8000 http https 34197) ACCEPT;
20          proto udp dport (22 25 53 480:510 636 4367 6900 8000 34197) ACCEPT;
21          proto tcp dport (179) ACCEPT;
22          # dns
23          proto (udp tcp) dport domain ACCEPT;
24          mod state state (INVALID) DROP;
25          mod state state (ESTABLISHED RELATED) ACCEPT;
26        }
27        chain OUTPUT {
28          policy ACCEPT;
29        }
30        chain FORWARD {
31          policy DROP;
32          # allow intern routing and dn42 forwarding
33          interface wg42_+ outerface wg42_+ ACCEPT;
34          interface tailscale0 outerface tailscale0 ACCEPT;
35          interface tailscale0 outerface wg42_+ ACCEPT;
36          # but dn42 -> intern only with execptions
37          interface wg42_+ outerface tailscale0 {
38            proto (ipv6-icmp icmp) ACCEPT; # Allow SSH Access from dn42 to devices behind tailscale0 Interfaces
39            proto tcp dport (ssh) ACCEPT;
40            mod state state (ESTABLISHED) ACCEPT;
41          }
42        }
43      }
44    '';
45  };
46}