Work on firewall cleanup

2024-07-17 15:08:24 -05:00 · 2024-07-17 15:08:24 -05:00 · eeda716b9b
commit eeda716b9b
parent a2c6a0fe93
4 changed files with 134 additions and 111 deletions
--- a/flake.lock
+++ b/flake.lock
@ -21,27 +21,6 @@
        "type": "github"
      }
    },
    "dependencyDagOfSubmodule": {
      "inputs": {
        "nixpkgs": [
          "nnf",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1656615370,
        "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=",
        "owner": "thelegy",
        "repo": "nix-dependencyDagOfSubmodule",
        "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c",
        "type": "github"
      },
      "original": {
        "owner": "thelegy",
        "repo": "nix-dependencyDagOfSubmodule",
        "type": "github"
      }
    },
    "disko": {
      "inputs": {
        "nixpkgs": [
@ -416,22 +395,6 @@
      }
    },
    "nixpkgs_4": {
      "locked": {
        "lastModified": 1692638711,
        "narHash": "sha256-J0LgSFgJVGCC1+j5R2QndadWI1oumusg6hCtYAzLID4=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "91a22f76cd1716f9d0149e8a5c68424bb691de15",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_5": {
      "locked": {
        "lastModified": 1716769173,
        "narHash": "sha256-7EXDb5WBw+d004Agt+JHC/Oyh/KTUglOaQ4MNjBbo5w=",
@ -447,26 +410,6 @@
        "type": "github"
      }
    },
    "nnf": {
      "inputs": {
        "dependencyDagOfSubmodule": "dependencyDagOfSubmodule",
        "nixpkgs": "nixpkgs_4"
      },
      "locked": {
        "lastModified": 1720615408,
        "narHash": "sha256-Q1G6GVUWXra9rdWTbSq21WaeRyWwINE7a5SRJekn6h4=",
        "owner": "thelegy",
        "repo": "nixos-nftables-firewall",
        "rev": "71fc2b79358d0dbacde83c806a0f008ece567b7b",
        "type": "github"
      },
      "original": {
        "owner": "thelegy",
        "repo": "nixos-nftables-firewall",
        "rev": "71fc2b79358d0dbacde83c806a0f008ece567b7b",
        "type": "github"
      }
    },
    "pre-commit": {
      "inputs": {
        "flake-compat": "flake-compat",
@ -499,7 +442,6 @@
        "hyprland": "hyprland",
        "nixpkgs": "nixpkgs_3",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "nnf": "nnf",
        "pre-commit": "pre-commit",
        "slippi": "slippi",
        "sops-nix": "sops-nix"
@ -532,7 +474,7 @@
    },
    "slippi": {
      "inputs": {
-        "nixpkgs": "nixpkgs_5"
+        "nixpkgs": "nixpkgs_4"
      },
      "locked": {
        "lastModified": 1720625270,
--- a/flake.nix
+++ b/flake.nix
@ -21,7 +21,7 @@
    hyprland.url = "github:hyprwm/Hyprland";
    slippi.url = "github:lytedev/slippi-nix";
-    nnf.url = "github:thelegy/nixos-nftables-firewall?rev=71fc2b79358d0dbacde83c806a0f008ece567b7b";
+    # nnf.url = "github:thelegy/nixos-nftables-firewall?rev=71fc2b79358d0dbacde83c806a0f008ece567b7b";
  };
  nixConfig = {
@ -54,7 +54,7 @@
    home-manager,
    helix,
    hardware,
-    nnf,
+    # nnf,
    # hyprland,
    slippi,
    ...
@ -347,7 +347,8 @@
        modules = with nixosModules; [
          outputs.diskoConfigurations.unencrypted
          common
-          nnf.nixosModules.default
+          linux
          # nnf.nixosModules.default
          ./nixos/router.nix
        ];
      };
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -173,6 +173,14 @@
    };
  };
  linux = {pkgs, ...}: {
    home-manager.users.daniel = {
      imports = with homeManagerModules; [
        linux
      ];
    };
  };
  tailscale = {lib, ...}: {
    services.tailscale = {
      enable = true;
--- a/nixos/router.nix
+++ b/nixos/router.nix
@ -19,11 +19,11 @@
  };
  interfaces = {
    wan = {
-      name = "wan0";
+      name = "wan";
      mac = "00:01:2e:82:73:59";
    };
    lan = {
-      name = "lan0";
+      name = "lan";
      mac = "00:01:2e:82:73:5a";
    };
  };
@ -105,56 +105,120 @@ in {
      ff02::2 ip6-allrouters
    '';
-    nftables.firewall = let
+    nftables = let
-      me = config.networking.nftables.firewall.localZoneName;
+      inf = {
        lan = interfaces.lan.name;
        wan = interfaces.wan.name;
      };
    in {
      enable = true;
-      snippets.nnf-common.enable = true;
+      ruleset = with inf; ''
        table inet filter {
        	set LANv4 {
        		type ipv4_addr
        		flags interval
        		elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 }
        	}
        	set LANv6 {
        		type ipv6_addr
        		flags interval
        		elements = { fd00::/8, fe80::/10 }
        	}
          # maybe tailnet?
-      zones = {
+        	chain my_input_lan {
-        ${interfaces.wan.name} = {
+        		udp sport 1900 udp dport >= 1024 meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply"
-          interfaces = [interfaces.wan.name];
+        		udp sport netbios-ns udp dport >= 1024 meta pkttype unicast accept comment "Accept Samba Workgroup browsing replies"
-        };
+        	}
        ${interfaces.lan.name} = {
          parent = interfaces.wan.name;
          ipv4Addresses = [cidr];
        };
        # banned = {
        #   ingressExpression = [
        #     "ip saddr @banlist"
        #     "ip6 saddr @banlist6"
        #   ];
        #   egressExpression = [
        #     "ip daddr @banlist"
        #     "ip6 daddr @banlist6"
        #   ];
        # };
      };
-      rules = {
+          chain input {
-        dhcp = {
+            type filter hook input priority 0; policy drop;
-          from = "all";
+
-          to = [hosts.beefcake.ip];
+        		iif lo accept comment "Accept any localhost traffic"
-          allowedTCPPorts = [67];
+        		ct state invalid drop comment "Drop invalid connections"
-          allowedUDPPorts = [67];
+        		ct state established,related accept comment "Accept traffic originated from us"
-        };
+
-        http = {
+        		meta l4proto ipv6-icmp accept comment "Accept ICMPv6"
-          from = "all";
+        		meta l4proto icmp accept comment "Accept ICMP"
-          to = [hosts.beefcake.ip];
+        		ip protocol igmp accept comment "Accept IGMP"
-          allowedTCPPorts = [80 443];
+
-        };
+        		udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS"
-        router-ssh = {
+        		udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"
-          from = "all";
+
-          to = [me];
+        		ip6 saddr @LANv6 jump my_input_lan comment "Connections from private IP address ranges"
-          allowedTCPPorts = [2201];
+        		ip saddr @LANv4 jump my_input_lan comment "Connections from private IP address ranges"
-        };
+
-        server-ssh = {
+            iifname "${lan}" accept comment "Allow local network to access the router"
-          from = "all";
+
-          to = [hosts.beefcake.ip];
+            iifname "${wan}" counter drop comment "Drop all other unsolicited traffic from wan"
-          allowedTCPPorts = [22];
+          }
-        };
+          chain forward {
-      };
+            type filter hook forward priority filter; policy drop;
            iifname { "${lan}" } oifname { "${wan}" } accept comment "Allow trusted LAN to WAN"
            iifname { "${wan}" } oifname { "${lan}" } ct state { established, related } accept comment "Allow established back to LAN"
          }
        }
        table ip nat {
          chain postrouting {
            type nat hook postrouting priority 100; policy accept;
            oifname "${wan}" masquerade
          }
        }
      '';
    };
    # nftables.firewall = let
    #   me = config.networking.nftables.firewall.localZoneName;
    # in {
    #   enable = true;
    #   snippets.nnf-common.enable = true;
    #   zones = {
    #     ${interfaces.wan.name} = {
    #       interfaces = [interfaces.wan.name interfaces.lan.name];
    #     };
    #     ${interfaces.lan.name} = {
    #       parent = interfaces.wan.name;
    #       ipv4Addresses = [cidr];
    #     };
    #     # banned = {
    #     #   ingressExpression = [
    #     #     "ip saddr @banlist"
    #     #     "ip6 saddr @banlist6"
    #     #   ];
    #     #   egressExpression = [
    #     #     "ip daddr @banlist"
    #     #     "ip6 daddr @banlist6"
    #     #   ];
    #     # };
    #   };
    #   rules = {
    #     dhcp = {
    #       from = "all";
    #       to = [hosts.beefcake.ip];
    #       allowedTCPPorts = [67];
    #       allowedUDPPorts = [67];
    #     };
    #     http = {
    #       from = "all";
    #       to = [me];
    #       allowedTCPPorts = [80 443];
    #     };
    #     router-ssh = {
    #       from = "all";
    #       to = [me];
    #       allowedTCPPorts = [2201];
    #     };
    #     server-ssh = {
    #       from = "all";
    #       to = [hosts.beefcake.ip];
    #       allowedTCPPorts = [22];
    #     };
    #   };
    # };
  };
  systemd.network = {
@ -218,15 +282,23 @@ in {
  services.dnsmasq = {
    enable = true;
    settings = {
-      server = ["1.1.1.1" "9.9.9.9" "8.8.8.8"];
+      listen-address = "::,127.0.0.1,${ip}";
      port = 53;
      # dhcp-authoritative = true;
      # dnssec = true;
      # enable-ra = true;
      server = ["::1" "127.0.0.1" "1.1.1.1" "9.9.9.9" "8.8.8.8"];
      domain-needed = true;
      bogus-priv = true;
      no-resolv = true;
-      cache-size = 1000;
+      cache-size = "10000";
      dhcp-range = with dhcp_lease_space; ["${interfaces.lan.name},${min},${max},${netmask},24h"];
      except-interface = interfaces.wan.name;
      interface = interfaces.lan.name;
      dhcp-host =
        [