s0me1newithhand7s/reNixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

kyra(hardening): firewalld masquerading

Browse source 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
This commit is contained in:
s0me1newithhand7s 2026-05-03 15:57:34 +03:00
parent 4b768f6a11
commit e81f4f0829
1 changed files with 56 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

67
kyra/services/firewalld.nix
View file

@ -7,7 +7,48 @@
firewalld = { firewalld = {
enable = true; enable = true;
settings = {
IPv6_rpfilter = "strict";
CleanupModulesOnExit = true;
StrictForwardPorts = true;
};
services = { services = {
"ntp" = {
short = "ntpd-rs";
ports = [
{
port = 123;
protocol = "udp";
}
{
port = 4460;
protocol = "tcp";
}
];
};
"dns" = {
short = "hickory-dns";
ports = [
{
port = 853;
protocol = "tcp";
}
];
};
"quic" = {
short = "http3";
ports = [
{
port = 443;
protocol = "udp";
}
];
};
"stalwart" = { "stalwart" = {
short = "Stalwart-mail"; short = "Stalwart-mail";
ports = ports =
@ -62,24 +103,28 @@
}; };
zones = { zones = {
"trusted" = { "netbird" = {
services = [ services = [
"ssh"
"consul" "consul"
]; ];
}; };
"wan" = { "wan" = {
ports = [ target = "DROP";
masquerade = true;
forwardPorts = [
{ {
port = 2053; port = 443;
protocol = "udp"; protocol = "udp";
to-port = 8443;
to-addr = "192.168.101.2";
} }
];
{ ports = [
port = 8443;
protocol = "tcp";
}
{ {
port = 51820; port = 51820;
protocol = "udp"; protocol = "udp";
@ -119,17 +164,17 @@
services = lib.concatLists [ services = lib.concatLists [
[ [
"ssh" "quic"
"http" "http"
"https" "https"
"ntp"
"dns"
] ]
( (
lib.optionals ( lib.optionals (
lib.elem name [ lib.elem name [
"hazel" "hazel"
"lynn"
"mel"
] ]
) [ ) [
"minecraft" "minecraft"