diff options
| author | Vivien Kraus <vivien@planete-kraus.eu> | 2020-12-27 16:06:24 +0100 |
|---|---|---|
| committer | Vivien Kraus <vivien@planete-kraus.eu> | 2020-12-27 16:06:24 +0100 |
| commit | e6b10204bfabe241e469d65bb4a4f4d3d3648a4c (patch) | |
| tree | 03a44a8b1e0e40e7392579674c2d475796e40fce | |
Add a sensible firewall
| -rw-r--r-- | .guix-channel | 6 | ||||
| -rw-r--r-- | guix/vkraus/modules/firewall.scm | 69 |
2 files changed, 75 insertions, 0 deletions
diff --git a/.guix-channel b/.guix-channel new file mode 100644 index 0000000..8e7197b --- /dev/null +++ b/.guix-channel @@ -0,0 +1,6 @@ +(channel + (version 0) + (directory "guix")) +;; Local Variables: +;; mode: scheme +;; End: diff --git a/guix/vkraus/modules/firewall.scm b/guix/vkraus/modules/firewall.scm new file mode 100644 index 0000000..187c378 --- /dev/null +++ b/guix/vkraus/modules/firewall.scm @@ -0,0 +1,69 @@ +(define-module (vkraus modules firewall) + #:use-module (gnu services) + #:use-module (gnu services networking) + #:use-module (guix gexp) + #:use-module (guix modules) + #:use-module (guix records) + #:use-module (ice-9 match) + #:use-module (ice-9 optargs)) + +(define-public (make-firewall tcp-ports udp-ports) + ;; This is the nftables firewall, inspired from + ;; https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server + (let* ((config-data (format #f " +flush ruleset + +table inet firewall { + chain inbound { + # By default, drop all traffic unless it meets a filter + # criteria specified by the rules that follow below. + type filter hook input priority 0; policy drop; + + # Allow traffic from established and related packets. + ct state established,related accept + + # Drop invalid packets. + ct state invalid drop + + # Allow loopback traffic. + iifname lo accept + + # Allow all ICMP and IGMP traffic, but enforce a rate limit + # to help prevent some types of flood attacks. + ip protocol icmp limit rate 4/second accept + ip6 nexthdr ipv6-icmp limit rate 4/second accept + ip protocol igmp limit rate 4/second accept + + # Allow TCP ports + tcp dport { ~a } accept + + # Allow UDP ports + udp dport { ~a } accept + } + + chain forward { + # Drop everything (assumes this device is not a router) + type filter hook forward priority 0; policy drop; + + } + + chain outbound { + # Allow all outbound traffic + type filter hook output priority 0; policy accept; + } +} +" + (string-join (map (lambda (port) + (format #f "~a" port))) + ", "))) + (file (plain-file "firewall" config-data))) + (service nftables-service-type + (nftables-configuration + (ruleset file))))) + +(define-public pk-firewall + (make-firewall + ;; TCP ports + '(22 http https 143 993 25 10025 465 587 5222 5269) + ;; UDP ports + '())) |