From e6b10204bfabe241e469d65bb4a4f4d3d3648a4c Mon Sep 17 00:00:00 2001
From: Vivien Kraus <vivien@planete-kraus.eu>
Date: Sun, 27 Dec 2020 16:06:24 +0100
Subject: Add a sensible firewall

---
 guix/vkraus/modules/firewall.scm | 69 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)
 create mode 100644 guix/vkraus/modules/firewall.scm

(limited to 'guix/vkraus/modules/firewall.scm')

diff --git a/guix/vkraus/modules/firewall.scm b/guix/vkraus/modules/firewall.scm
new file mode 100644
index 0000000..187c378
--- /dev/null
+++ b/guix/vkraus/modules/firewall.scm
@@ -0,0 +1,69 @@
+(define-module (vkraus modules firewall)
+  #:use-module (gnu services)
+  #:use-module (gnu services networking)
+  #:use-module (guix gexp)
+  #:use-module (guix modules)
+  #:use-module (guix records)
+  #:use-module (ice-9 match)
+  #:use-module (ice-9 optargs))
+
+(define-public (make-firewall tcp-ports udp-ports)
+  ;; This is the nftables firewall, inspired from
+  ;; https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server
+  (let* ((config-data (format #f "
+flush ruleset
+
+table inet firewall {
+    chain inbound {
+    	# By default, drop all traffic unless it meets a filter
+    	# criteria specified by the rules that follow below.
+        type filter hook input priority 0; policy drop;
+
+        # Allow traffic from established and related packets.
+        ct state established,related accept
+
+        # Drop invalid packets.
+        ct state invalid drop
+
+        # Allow loopback traffic.
+        iifname lo accept
+
+        # Allow all ICMP and IGMP traffic, but enforce a rate limit
+        # to help prevent some types of flood attacks.
+        ip protocol icmp limit rate 4/second accept
+        ip6 nexthdr ipv6-icmp limit rate 4/second accept
+        ip protocol igmp limit rate 4/second accept
+
+        # Allow TCP ports
+        tcp dport { ~a } accept
+
+        # Allow UDP ports
+        udp dport { ~a } accept
+    }
+
+    chain forward {
+        # Drop everything (assumes this device is not a router)
+        type filter hook forward priority 0; policy drop;
+
+    }
+
+    chain outbound {
+        # Allow all outbound traffic
+        type filter hook output priority 0; policy accept;
+    }
+}
+"
+			      (string-join (map (lambda (port)
+						  (format #f "~a" port)))
+					   ", ")))
+	 (file (plain-file "firewall" config-data)))
+    (service nftables-service-type
+	     (nftables-configuration
+	      (ruleset file)))))
+
+(define-public pk-firewall
+  (make-firewall
+   ;; TCP ports
+   '(22 http https 143 993 25 10025 465 587 5222 5269)
+   ;; UDP ports
+   '()))
-- 
cgit v1.2.3