2 files changed, 167 insertions, 4 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 11f74373..bcfa1e10 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -65,13 +65,19 @@ in {
        "::1" = [ "sif.yggdrasil" "sif" ];
      };
-      firewall = {
+      firewall.enable = false;
+      nftables = {
        enable = true;
-        allowedTCPPorts = [ 22 # ssh
+        rulesetFile = ./ruleset.nft;
-                            8000 # quickserve
-                          ];
      };
+      # firewall = {
+      #   enable = true;
+      #   allowedTCPPorts = [ 22 # ssh
+      #                       8000 # quickserve
+      #                     ];
+      # };
      # wlanInterfaces = {
      #   wlan0 = {
      #     device = "wlp82s0";
diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft
new file mode 100644
index 00000000..62fa90db
--- /dev/null
+++ b/hosts/sif/ruleset.nft
@@ -0,0 +1,157 @@
+define icmp_protos = { ipv6-icmp, icmp, igmp }
+table arp filter {
+  limit lim_arp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+  counter arp-rx {}
+  counter arp-tx {}
+  counter arp-ratelimit-rx {}
+  counter arp-ratelimit-tx {}
+  chain input {
+    type filter hook input priority filter
+    policy accept
+    limit name lim_arp counter name arp-ratelimit-rx drop
+    counter name arp-rx
+  }
+  chain output {
+    type filter hook output priority filter
+    policy accept
+    limit name lim_arp counter name arp-ratelimit-tx drop
+    counter name arp-tx
+  }
+}
+table inet filter {
+  limit lim_reject {
+    rate over 1000/second burst 1000 packets
+  }
+  limit lim_icmp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+  counter invalid-fw {}
+  counter reject-ratelimit-fw {}
+  counter reject-fw {}
+  counter reject-tcp-fw {}
+  counter reject-icmp-fw {}
+  counter invalid-rx {}
+  counter rx-lo {}
+  counter invalid-local4-rx {}
+  counter invalid-local6-rx {}
+  counter icmp-ratelimit-rx {}
+  counter icmp-rx {}
+  counter ssh-rx {}
+  counter mosh-rx {}
+  counter wg-rx {}
+  counter yggdrasil-gre-rx {}
+  counter quickserve-rx {}
+  counter established-rx {}
+  counter reject-ratelimit-rx {}
+  counter reject-rx {}
+  counter reject-tcp-rx {}
+  counter reject-icmp-rx {}
+  counter tx-lo {}
+  counter icmp-ratelimit-tx {}
+  counter icmp-tx {}
+  counter ssh-tx {}
+  counter mosh-tx {}
+  counter wg-tx {}
+  counter yggdrasil-gre-tx {}
+  counter quickserve-tx {}
+  counter tx {}
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+    ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop
+    iifname lo counter name fw-lo accept
+    limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
+    log level debug prefix "reject forward: " counter name reject-fw
+    meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
+    ct state new counter name reject-icmp-fw reject
+  }
+  chain input {
+    type filter hook input priority filter
+    policy drop
+    ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
+    
+    iifname lo counter name rx-lo accept
+    iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
+    iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
+    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
+    meta l4proto $icmp_protos counter name icmp-rx accept
+    tcp dport 22 counter name ssh-rx accept
+    udp dport 60001-61000 counter name mosh-rx accept
+    tcp dport 8000 counter name quickserve-rx accept
+    udp dport 51820-51822 counter name wg-rx accept
+    iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
+    ct state {established, related} counter name established-rx accept
+    limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
+    log level debug prefix "reject input: " counter name reject-rx
+    meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
+    ct state new counter name reject-icmp-rx reject
+  }
+  chain output {
+    type filter hook output priority filter
+    policy accept
+    oifname lo counter name tx-lo accept
+    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
+    meta l4proto $icmp_protos counter name icmp-tx accept
+    tcp sport 22 counter name ssh-tx
+    udp sport 60001-61000 counter name mosh-tx
+    udp sport 51820-51822 counter name wg-tx
+    iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx
+    tcp sport 8000 counter name http-tx accept
+    counter name tx
+  }
+}

diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 11f74373..bcfa1e10 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix
@@ -65,13 +65,19 @@ in {
65	"::1" = [ "sif.yggdrasil" "sif" ];	65	"::1" = [ "sif.yggdrasil" "sif" ];
66	};	66	};
67		67
68	firewall = {	68	firewall.enable = false;
		69	nftables = {
69	enable = true;	70	enable = true;
70	allowedTCPPorts = [ 22 # ssh	71	rulesetFile = ./ruleset.nft;
71	8000 # quickserve
72	];
73	};	72	};
74		73
		74	# firewall = {
		75	# enable = true;
		76	# allowedTCPPorts = [ 22 # ssh
		77	# 8000 # quickserve
		78	# ];
		79	# };
		80
75	# wlanInterfaces = {	81	# wlanInterfaces = {
76	# wlan0 = {	82	# wlan0 = {
77	# device = "wlp82s0";	83	# device = "wlp82s0";


diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft new file mode 100644 index 00000000..62fa90db --- /dev/null +++ b/hosts/sif/ruleset.nft
@@ -0,0 +1,157 @@
		1	define icmp_protos = { ipv6-icmp, icmp, igmp }
		2
		3	table arp filter {
		4	limit lim_arp {
		5	rate over 50 mbytes/second burst 50 mbytes
		6	}
		7
		8	counter arp-rx {}
		9	counter arp-tx {}
		10
		11	counter arp-ratelimit-rx {}
		12	counter arp-ratelimit-tx {}
		13
		14	chain input {
		15	type filter hook input priority filter
		16	policy accept
		17
		18	limit name lim_arp counter name arp-ratelimit-rx drop
		19
		20	counter name arp-rx
		21	}
		22
		23	chain output {
		24	type filter hook output priority filter
		25	policy accept
		26
		27	limit name lim_arp counter name arp-ratelimit-tx drop
		28
		29	counter name arp-tx
		30	}
		31	}
		32
		33	table inet filter {
		34	limit lim_reject {
		35	rate over 1000/second burst 1000 packets
		36	}
		37
		38	limit lim_icmp {
		39	rate over 50 mbytes/second burst 50 mbytes
		40	}
		41
		42	counter invalid-fw {}
		43
		44	counter reject-ratelimit-fw {}
		45	counter reject-fw {}
		46	counter reject-tcp-fw {}
		47	counter reject-icmp-fw {}
		48
		49
		50	counter invalid-rx {}
		51	counter rx-lo {}
		52	counter invalid-local4-rx {}
		53	counter invalid-local6-rx {}
		54
		55	counter icmp-ratelimit-rx {}
		56	counter icmp-rx {}
		57
		58	counter ssh-rx {}
		59	counter mosh-rx {}
		60	counter wg-rx {}
		61	counter yggdrasil-gre-rx {}
		62	counter quickserve-rx {}
		63
		64	counter established-rx {}
		65
		66	counter reject-ratelimit-rx {}
		67	counter reject-rx {}
		68	counter reject-tcp-rx {}
		69	counter reject-icmp-rx {}
		70
		71
		72	counter tx-lo {}
		73
		74	counter icmp-ratelimit-tx {}
		75	counter icmp-tx {}
		76
		77	counter ssh-tx {}
		78	counter mosh-tx {}
		79	counter wg-tx {}
		80	counter yggdrasil-gre-tx {}
		81	counter quickserve-tx {}
		82
		83	counter tx {}
		84
		85
		86	chain forward {
		87	type filter hook forward priority filter
		88	policy drop
		89
		90
		91	ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop
		92
		93
		94	iifname lo counter name fw-lo accept
		95
		96
		97	limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
		98	log level debug prefix "reject forward: " counter name reject-fw
		99	meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
		100	ct state new counter name reject-icmp-fw reject
		101	}
		102
		103	chain input {
		104	type filter hook input priority filter
		105	policy drop
		106
		107
		108	ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
		109
		110
		111	iifname lo counter name rx-lo accept
		112	iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
		113	iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
		114
		115	meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
		116	meta l4proto $icmp_protos counter name icmp-rx accept
		117
		118	tcp dport 22 counter name ssh-rx accept
		119	udp dport 60001-61000 counter name mosh-rx accept
		120
		121	tcp dport 8000 counter name quickserve-rx accept
		122
		123	udp dport 51820-51822 counter name wg-rx accept
		124	iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
		125
		126	ct state {established, related} counter name established-rx accept
		127
		128
		129	limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
		130	log level debug prefix "reject input: " counter name reject-rx
		131	meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
		132	ct state new counter name reject-icmp-rx reject
		133	}
		134
		135	chain output {
		136	type filter hook output priority filter
		137	policy accept
		138
		139
		140	oifname lo counter name tx-lo accept
		141
		142	meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
		143	meta l4proto $icmp_protos counter name icmp-tx accept
		144
		145
		146	tcp sport 22 counter name ssh-tx
		147	udp sport 60001-61000 counter name mosh-tx
		148
		149	udp sport 51820-51822 counter name wg-tx
		150	iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx
		151
		152	tcp sport 8000 counter name http-tx accept
		153
		154
		155	counter name tx
		156	}
		157	}