From eeda716b9b2e9af605baf26b0baa4e3d01ac6f72 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Wed, 17 Jul 2024 15:08:24 -0500 Subject: [PATCH] Work on firewall cleanup --- flake.lock | 60 +------------- flake.nix | 7 +- modules/nixos/default.nix | 8 ++ nixos/router.nix | 170 +++++++++++++++++++++++++++----------- 4 files changed, 134 insertions(+), 111 deletions(-) diff --git a/flake.lock b/flake.lock index 6e24da3..78dcacc 100644 --- a/flake.lock +++ b/flake.lock @@ -21,27 +21,6 @@ "type": "github" } }, - "dependencyDagOfSubmodule": { - "inputs": { - "nixpkgs": [ - "nnf", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1656615370, - "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "type": "github" - } - }, "disko": { "inputs": { "nixpkgs": [ @@ -416,22 +395,6 @@ } }, "nixpkgs_4": { - "locked": { - "lastModified": 1692638711, - "narHash": "sha256-J0LgSFgJVGCC1+j5R2QndadWI1oumusg6hCtYAzLID4=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "91a22f76cd1716f9d0149e8a5c68424bb691de15", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_5": { "locked": { "lastModified": 1716769173, "narHash": "sha256-7EXDb5WBw+d004Agt+JHC/Oyh/KTUglOaQ4MNjBbo5w=", @@ -447,26 +410,6 @@ "type": "github" } }, - "nnf": { - "inputs": { - "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", - "nixpkgs": "nixpkgs_4" - }, - "locked": { - "lastModified": 1720615408, - "narHash": "sha256-Q1G6GVUWXra9rdWTbSq21WaeRyWwINE7a5SRJekn6h4=", - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "rev": "71fc2b79358d0dbacde83c806a0f008ece567b7b", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "rev": "71fc2b79358d0dbacde83c806a0f008ece567b7b", - "type": "github" - } - }, "pre-commit": { "inputs": { "flake-compat": "flake-compat", @@ -499,7 +442,6 @@ "hyprland": "hyprland", "nixpkgs": "nixpkgs_3", "nixpkgs-unstable": "nixpkgs-unstable", - "nnf": "nnf", "pre-commit": "pre-commit", "slippi": "slippi", "sops-nix": "sops-nix" @@ -532,7 +474,7 @@ }, "slippi": { "inputs": { - "nixpkgs": "nixpkgs_5" + "nixpkgs": "nixpkgs_4" }, "locked": { "lastModified": 1720625270, diff --git a/flake.nix b/flake.nix index 7deb12c..574273e 100644 --- a/flake.nix +++ b/flake.nix @@ -21,7 +21,7 @@ hyprland.url = "github:hyprwm/Hyprland"; slippi.url = "github:lytedev/slippi-nix"; - nnf.url = "github:thelegy/nixos-nftables-firewall?rev=71fc2b79358d0dbacde83c806a0f008ece567b7b"; + # nnf.url = "github:thelegy/nixos-nftables-firewall?rev=71fc2b79358d0dbacde83c806a0f008ece567b7b"; }; nixConfig = { @@ -54,7 +54,7 @@ home-manager, helix, hardware, - nnf, + # nnf, # hyprland, slippi, ... @@ -347,7 +347,8 @@ modules = with nixosModules; [ outputs.diskoConfigurations.unencrypted common - nnf.nixosModules.default + linux + # nnf.nixosModules.default ./nixos/router.nix ]; }; diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index fcde4ab..6a28476 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -173,6 +173,14 @@ }; }; + linux = {pkgs, ...}: { + home-manager.users.daniel = { + imports = with homeManagerModules; [ + linux + ]; + }; + }; + tailscale = {lib, ...}: { services.tailscale = { enable = true; diff --git a/nixos/router.nix b/nixos/router.nix index bada4ff..9cd0c7e 100644 --- a/nixos/router.nix +++ b/nixos/router.nix @@ -19,11 +19,11 @@ }; interfaces = { wan = { - name = "wan0"; + name = "wan"; mac = "00:01:2e:82:73:59"; }; lan = { - name = "lan0"; + name = "lan"; mac = "00:01:2e:82:73:5a"; }; }; @@ -105,56 +105,120 @@ in { ff02::2 ip6-allrouters ''; - nftables.firewall = let - me = config.networking.nftables.firewall.localZoneName; + nftables = let + inf = { + lan = interfaces.lan.name; + wan = interfaces.wan.name; + }; in { enable = true; - snippets.nnf-common.enable = true; + ruleset = with inf; '' + table inet filter { + set LANv4 { + type ipv4_addr + flags interval + elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } + } + set LANv6 { + type ipv6_addr + flags interval + elements = { fd00::/8, fe80::/10 } + } + # maybe tailnet? - zones = { - ${interfaces.wan.name} = { - interfaces = [interfaces.wan.name]; - }; - ${interfaces.lan.name} = { - parent = interfaces.wan.name; - ipv4Addresses = [cidr]; - }; - # banned = { - # ingressExpression = [ - # "ip saddr @banlist" - # "ip6 saddr @banlist6" - # ]; - # egressExpression = [ - # "ip daddr @banlist" - # "ip6 daddr @banlist6" - # ]; - # }; - }; + chain my_input_lan { + udp sport 1900 udp dport >= 1024 meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply" + udp sport netbios-ns udp dport >= 1024 meta pkttype unicast accept comment "Accept Samba Workgroup browsing replies" + } - rules = { - dhcp = { - from = "all"; - to = [hosts.beefcake.ip]; - allowedTCPPorts = [67]; - allowedUDPPorts = [67]; - }; - http = { - from = "all"; - to = [hosts.beefcake.ip]; - allowedTCPPorts = [80 443]; - }; - router-ssh = { - from = "all"; - to = [me]; - allowedTCPPorts = [2201]; - }; - server-ssh = { - from = "all"; - to = [hosts.beefcake.ip]; - allowedTCPPorts = [22]; - }; - }; + chain input { + type filter hook input priority 0; policy drop; + + iif lo accept comment "Accept any localhost traffic" + ct state invalid drop comment "Drop invalid connections" + ct state established,related accept comment "Accept traffic originated from us" + + meta l4proto ipv6-icmp accept comment "Accept ICMPv6" + meta l4proto icmp accept comment "Accept ICMP" + ip protocol igmp accept comment "Accept IGMP" + + udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS" + udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS" + + ip6 saddr @LANv6 jump my_input_lan comment "Connections from private IP address ranges" + ip saddr @LANv4 jump my_input_lan comment "Connections from private IP address ranges" + + iifname "${lan}" accept comment "Allow local network to access the router" + + iifname "${wan}" counter drop comment "Drop all other unsolicited traffic from wan" + } + chain forward { + type filter hook forward priority filter; policy drop; + + iifname { "${lan}" } oifname { "${wan}" } accept comment "Allow trusted LAN to WAN" + iifname { "${wan}" } oifname { "${lan}" } ct state { established, related } accept comment "Allow established back to LAN" + } + } + + table ip nat { + chain postrouting { + type nat hook postrouting priority 100; policy accept; + oifname "${wan}" masquerade + } + } + ''; }; + + # nftables.firewall = let + # me = config.networking.nftables.firewall.localZoneName; + # in { + # enable = true; + # snippets.nnf-common.enable = true; + + # zones = { + # ${interfaces.wan.name} = { + # interfaces = [interfaces.wan.name interfaces.lan.name]; + # }; + # ${interfaces.lan.name} = { + # parent = interfaces.wan.name; + # ipv4Addresses = [cidr]; + # }; + # # banned = { + # # ingressExpression = [ + # # "ip saddr @banlist" + # # "ip6 saddr @banlist6" + # # ]; + # # egressExpression = [ + # # "ip daddr @banlist" + # # "ip6 daddr @banlist6" + # # ]; + # # }; + # }; + + # rules = { + # dhcp = { + # from = "all"; + # to = [hosts.beefcake.ip]; + # allowedTCPPorts = [67]; + # allowedUDPPorts = [67]; + # }; + # http = { + # from = "all"; + # to = [me]; + # allowedTCPPorts = [80 443]; + # }; + # router-ssh = { + # from = "all"; + # to = [me]; + # allowedTCPPorts = [2201]; + # }; + # server-ssh = { + # from = "all"; + # to = [hosts.beefcake.ip]; + # allowedTCPPorts = [22]; + # }; + # }; + # }; }; systemd.network = { @@ -218,15 +282,23 @@ in { services.dnsmasq = { enable = true; settings = { - server = ["1.1.1.1" "9.9.9.9" "8.8.8.8"]; + listen-address = "::,127.0.0.1,${ip}"; + port = 53; + + # dhcp-authoritative = true; + # dnssec = true; + # enable-ra = true; + + server = ["::1" "127.0.0.1" "1.1.1.1" "9.9.9.9" "8.8.8.8"]; domain-needed = true; bogus-priv = true; no-resolv = true; - cache-size = 1000; + cache-size = "10000"; dhcp-range = with dhcp_lease_space; ["${interfaces.lan.name},${min},${max},${netmask},24h"]; + except-interface = interfaces.wan.name; interface = interfaces.lan.name; dhcp-host = [