(define-module (vkraus modules firewall) #:use-module (gnu services) #:use-module (gnu services networking) #:use-module (guix gexp) #:use-module (guix modules) #:use-module (guix records) #:use-module (ice-9 match) #:use-module (ice-9 optargs)) (define-public (make-firewall tcp-ports udp-ports) ;; This is the nftables firewall, inspired from ;; https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server (let* ((config-data (format #f " flush ruleset table inet firewall { chain inbound { # By default, drop all traffic unless it meets a filter # criteria specified by the rules that follow below. type filter hook input priority 0; policy drop; # Allow traffic from established and related packets. ct state established,related accept # Drop invalid packets. ct state invalid drop # Allow loopback traffic. iifname lo accept # Allow all ICMP and IGMP traffic, but enforce a rate limit # to help prevent some types of flood attacks. ip protocol icmp limit rate 4/second accept ip6 nexthdr ipv6-icmp limit rate 4/second accept ip protocol igmp limit rate 4/second accept # Allow TCP ports tcp dport { ~a } accept # Allow UDP ports udp dport { ~a } accept } chain forward { # Drop everything (assumes this device is not a router) type filter hook forward priority 0; policy drop; } chain outbound { # Allow all outbound traffic type filter hook output priority 0; policy accept; } } " (string-join (map (lambda (port) (format #f "~a" port)) tcp-ports) ", ") (string-join (map (lambda (port) (format #f "~a" port)) udp-ports) ", "))) (file (plain-file "firewall" config-data))) (service nftables-service-type (nftables-configuration (ruleset file))))) (define-public pk-firewall (make-firewall ;; TCP ports: SSH, HTTP, HTTPS, IMAP, IPAMS, SMTP, SMTP, SMTPS, SMTPAUTH, XMPP-client, XMPP-server, the substitute server '(22 http https 143 993 25 10025 465 587 5222 5269 8091) ;; UDP ports with Minetest '(http https 64738 30000)))