s0me1newithhand7s/reNixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
reNixos/kyra/services/firewalld.nix
s0me1newithhand7s e81f4f0829 kyra(hardening): firewalld masquerading 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
2026-05-03 16:06:55 +03:00

189 lines
3.5 KiB
Nix
Raw Permalink Blame History

{
name,
lib,
...
}: {
services = {
firewalld = {
enable = true;
settings = {
IPv6_rpfilter = "strict";
CleanupModulesOnExit = true;
StrictForwardPorts = true;
};
services = {
"ntp" = {
short = "ntpd-rs";
ports = [
{
port = 123;
protocol = "udp";
}
{
port = 4460;
protocol = "tcp";
}
];
};
"dns" = {
short = "hickory-dns";
ports = [
{
port = 853;
protocol = "tcp";
}
];
};
"quic" = {
short = "http3";
ports = [
{
port = 443;
protocol = "udp";
}
];
};
"stalwart" = {
short = "Stalwart-mail";
ports =
lib.forEach [
25
110
143
465
993
995
4190
] (
port: {
protocol = "tcp";
inherit
port
;
}
);
};
"consul" = {
short = "Consul";
ports =
lib.forEach [
8300
8301
8302
8500
8600
] (
port: {
protocol = "tcp";
inherit
port
;
}
)
++ lib.forEach [
8301
8302
8600
] (
port: {
protocol = "udp";
inherit
port
;
}
);
};
};
zones = {
"netbird" = {
services = [
"ssh"
"consul"
];
};
"wan" = {
target = "DROP";
masquerade = true;
forwardPorts = [
{
port = 443;
protocol = "udp";
to-port = 8443;
to-addr = "192.168.101.2";
}
];
ports = [
{
port = 51820;
protocol = "udp";
}
];
icmpBlockInversion = true;
icmpBlocks = [
"echo-request"
"destination-unreachable"
"parameter-problem"
"time-exceeded"
];
interfaces = lib.concatLists [
(
lib.optionals (
lib.elem name [
"hazel"
"lynn"
"yara"
"ivy"
]
) [
"ens3"
]
)
(
lib.optionals (
name == "mel"
) [
"eth0"
]
)
];
services = lib.concatLists [
[
"quic"
"http"
"https"
"ntp"
"dns"
]
(
lib.optionals (
lib.elem name [
"hazel"
]
) [
"minecraft"
"stalwart"
]
)
];
};
};
};
};
}
Reference in a new issue View git blame Copy permalink