1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
(define-module (vkraus modules firewall)
#:use-module (gnu services)
#:use-module (gnu services networking)
#:use-module (guix gexp)
#:use-module (guix modules)
#:use-module (guix records)
#:use-module (ice-9 match)
#:use-module (ice-9 optargs))
(define-public (make-firewall tcp-ports udp-ports)
;; This is the nftables firewall, inspired from
;; https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server
(let* ((config-data (format #f "
flush ruleset
table inet firewall {
chain inbound {
# By default, drop all traffic unless it meets a filter
# criteria specified by the rules that follow below.
type filter hook input priority 0; policy drop;
# Allow traffic from established and related packets.
ct state established,related accept
# Drop invalid packets.
ct state invalid drop
# Allow loopback traffic.
iifname lo accept
# Allow all ICMP and IGMP traffic, but enforce a rate limit
# to help prevent some types of flood attacks.
ip protocol icmp limit rate 4/second accept
ip6 nexthdr ipv6-icmp limit rate 4/second accept
ip protocol igmp limit rate 4/second accept
# Allow TCP ports
tcp dport { ~a } accept
# Allow UDP ports
udp dport { ~a } accept
}
chain forward {
# Drop everything (assumes this device is not a router)
type filter hook forward priority 0; policy drop;
}
chain outbound {
# Allow all outbound traffic
type filter hook output priority 0; policy accept;
}
}
"
(string-join (map (lambda (port)
(format #f "~a" port))
tcp-ports)
", ")
(string-join (map (lambda (port)
(format #f "~a" port))
udp-ports)
", ")))
(file (plain-file "firewall" config-data)))
(service nftables-service-type
(nftables-configuration
(ruleset file)))))
(define-public pk-firewall
(make-firewall
;; TCP ports: SSH, HTTP, HTTPS, IMAP, IPAMS, SMTP, SMTP, SMTPS, SMTPAUTH, XMPP-client, XMPP-server, MUMBLE, the substitute server
'(22 http https 143 993 25 10025 465 587 5222 5269 64738 8091)
;; UDP ports with Minetest
'(http https 64738 30000)))
|