rotuer: use firewallgen to make packet filter rules
This commit is contained in:
		
							
								
								
									
										124
									
								
								examples/rotuer-firewall.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										124
									
								
								examples/rotuer-firewall.nix
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,124 @@ | |||||||
|  | let | ||||||
|  |   drop = expr : "${expr} drop"; | ||||||
|  |   accept = expr : "${expr} accept"; | ||||||
|  |   mcast-scope = 8; | ||||||
|  |   allow-incoming = false; | ||||||
|  |   bogons-ip6 = { | ||||||
|  |     type = "filter"; | ||||||
|  |     family = "ip6"; | ||||||
|  |     rules = [ | ||||||
|  |       (drop "ip6 saddr ff00::/8") # multicast saddr is illegal | ||||||
|  |  | ||||||
|  |       (drop "ip6 saddr ::/128") # unspecified address | ||||||
|  |       (drop "ip6 daddr ::/128") | ||||||
|  |       (drop "ip6 saddr 2001:db8::/32") # documentation addresses | ||||||
|  |       (drop "ip6 daddr 2001:db8::/32") | ||||||
|  |  | ||||||
|  |       # I think this means "check FIB for (saddr, iif) to see if we | ||||||
|  |       # could route a packet to that address using that interface", | ||||||
|  |       # and if we can't then it was an inapproppriate source address | ||||||
|  |       # for packets received _from_ said interface | ||||||
|  |       (drop "fib saddr . iif oif eq 0") | ||||||
|  |  | ||||||
|  |       (drop "icmpv6 type router-renumbering") | ||||||
|  |       (drop "icmpv6 type 139") # Node Information Query | ||||||
|  |       (drop "icmpv6 type 140") # Node Information Response | ||||||
|  |       (drop "icmpv6 type 100") | ||||||
|  |       (drop "icmpv6 type 101") | ||||||
|  |       (drop "icmpv6 type 200") | ||||||
|  |       (drop "icmpv6 type 201") | ||||||
|  |       (drop "icmpv6 type 127") | ||||||
|  |       (drop "icmpv6 type 255") | ||||||
|  |       (drop "icmpv6 type destination-unreachable ct state invalid,untracked") | ||||||
|  |     ]; | ||||||
|  |   }; | ||||||
|  |   forward-ip6 = { | ||||||
|  |     type = "filter"; | ||||||
|  |     family = "ip6"; | ||||||
|  |     policy = "drop"; | ||||||
|  |     hook = "forward"; | ||||||
|  |     rules = [ | ||||||
|  |       "jump bogons-ip6" | ||||||
|  |       (drop "ip6 saddr ::1/128") # loopback address [RFC4291] | ||||||
|  |       (drop "ip6 daddr ::1/128") | ||||||
|  |       (drop "ip6 saddr ::FFFF:0:0/96")# IPv4-mapped addresses | ||||||
|  |       (drop "ip6 daddr ::FFFF:0:0/96") | ||||||
|  |       (drop "ip6 saddr fe80::/10") # link-local unicast | ||||||
|  |       (drop "ip6 daddr fe80::/10") | ||||||
|  |       (drop "ip6 saddr fc00::/7") # unique-local addresses | ||||||
|  |       (drop "ip6 daddr fc00::/7") | ||||||
|  |       (drop "ip6 saddr 2001:10::/28") # ORCHID [RFC4843]. | ||||||
|  |       (drop "ip6 daddr 2001:10::/28") | ||||||
|  |  | ||||||
|  |       (drop "ip6 saddr fc00::/7") # unique local source | ||||||
|  |       (drop "ip6 daddr fc00::/7") # and/or dst addresses [RFC4193] | ||||||
|  |  | ||||||
|  |       # multicast with wrong scopes | ||||||
|  |       (drop | ||||||
|  |         # dest addr first byte 0xff, low nibble of second byte <= scope | ||||||
|  |         # https://www.mankier.com/8/nft#Payload_Expressions-Raw_Payload_Expression | ||||||
|  |         "@nh,192,8 eq 0xff @nh,204,4 le ${toString mcast-scope}") | ||||||
|  |  | ||||||
|  |       (accept "oifname \"int\" iifname \"ppp0\" meta l4proto udp ct state established,related") | ||||||
|  |       (accept "iifname \"int\" oifname \"ppp0\" meta l4proto udp") | ||||||
|  |  | ||||||
|  |       (accept "meta l4proto icmpv6") | ||||||
|  |       (accept "meta l4proto ah") | ||||||
|  |       (accept "meta l4proto esp") | ||||||
|  |  | ||||||
|  |       # does this ever get used or does the preceding general udp accept | ||||||
|  |       # already grab anything that might get here? | ||||||
|  |       (accept "oifname \"ppp0\" udp dport 500") # IKE Protocol [RFC5996]. haha zyxel | ||||||
|  |       (accept "ip6 nexthdr hip") | ||||||
|  |  | ||||||
|  |       ## FIXME no support yet for recs 27-30 Mobility Header | ||||||
|  |  | ||||||
|  |       (accept "oifname \"int\" iifname \"ppp0\" meta l4proto tcp ct state established,related") | ||||||
|  |       (accept "iifname \"int\" oifname \"ppp0\" meta l4proto tcp") | ||||||
|  |  | ||||||
|  |       (accept "oifname \"int\" iifname \"ppp0\" meta l4proto sctp ct state established,related") | ||||||
|  |       (accept "iifname \"int\" oifname \"ppp0\" meta l4proto sctp") | ||||||
|  |  | ||||||
|  |       (accept "oifname \"int\" iifname \"ppp0\" meta l4proto dccp ct state established,related") | ||||||
|  |       (accept "iifname \"int\" oifname \"ppp0\" meta l4proto dccp") | ||||||
|  |  | ||||||
|  |       # we can allow all reasonable inbound, or we can use an explicit | ||||||
|  |       # allowlist to enumerate the endpoints that are allowed to | ||||||
|  |       # accept inbound from the WAN | ||||||
|  |       (if allow-incoming | ||||||
|  |        then accept "oifname \"int\" iifname \"ppp0\"" | ||||||
|  |        else "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6" | ||||||
|  |       ) | ||||||
|  |       # allow all outbound and any inbound that's part of a | ||||||
|  |       # recognised (outbound-initiated) flow | ||||||
|  |       (accept "oifname \"int\" iifname \"ppp0\" ct state established,related") | ||||||
|  |       (accept "iifname \"int\" oifname \"ppp0\" ") | ||||||
|  |     ]; | ||||||
|  |   }; | ||||||
|  |   input-ip6 = { | ||||||
|  |     type = "filter"; | ||||||
|  |     family = "ip6"; | ||||||
|  |     policy = "drop"; | ||||||
|  |     hook = "input"; | ||||||
|  |     rules = [ | ||||||
|  |       "jump bogons-ip6" | ||||||
|  |       (accept "meta l4proto icmpv6") | ||||||
|  |       (if allow-incoming | ||||||
|  |        then accept "oifname \"int\" iifname \"ppp0\"" | ||||||
|  |        else "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6" | ||||||
|  |       ) | ||||||
|  |       (accept "oifname \"int\" iifname \"ppp0\"  ct state established,related") | ||||||
|  |       (accept "iifname \"int\" oifname \"ppp0\" ") | ||||||
|  |     ]; | ||||||
|  |   }; | ||||||
|  |  | ||||||
|  |   incoming-allowed-ip6 = { | ||||||
|  |     type = "filter"; | ||||||
|  |     family = "ip6"; | ||||||
|  |     rules = [ | ||||||
|  |       "oifname \"int\" ip6 daddr 2001:8b0:de3a:40de::e9d tcp dport 22" | ||||||
|  |     ]; | ||||||
|  |   }; | ||||||
|  | in { | ||||||
|  |   inherit input-ip6 forward-ip6 bogons-ip6 incoming-allowed-ip6; | ||||||
|  | } | ||||||
| @@ -226,15 +226,23 @@ in rec { | |||||||
|     dependencies = [ services.wan ]; |     dependencies = [ services.wan ]; | ||||||
|   }; |   }; | ||||||
|  |  | ||||||
|  |   services.firewall = | ||||||
|  |     let config = pkgs.firewallgen "firewall.nft" (import ./rotuer-firewall.nix); | ||||||
|  |     in oneshot { | ||||||
|  |       name = "firewall"; | ||||||
|  |       up = config; | ||||||
|  |       down = "${pkgs.nftables}/bin/nft flush ruleset"; | ||||||
|  |     }; | ||||||
|  |  | ||||||
|   services.packet_forwarding = |   services.packet_forwarding = | ||||||
|     let filename = "/proc/sys/net/ipv4/conf/all/forwarding"; |     let filename = "/proc/sys/net/ipv4/conf/all/forwarding"; | ||||||
|     in oneshot { |     in oneshot { | ||||||
|       name = "let-the-ip-flow"; |       name = "let-the-ip-flow"; | ||||||
|       up = '' |       up = '' | ||||||
|         ${pkgs.nftables}/bin/nft -f ${../nat.nft} |  | ||||||
|         echo 1 > ${filename} |         echo 1 > ${filename} | ||||||
|       ''; |       ''; | ||||||
|       down = "echo 0 > ${filename}"; |       down = "echo 0 > ${filename}"; | ||||||
|  |       dependencies = [ services.firewall ]; | ||||||
|     }; |     }; | ||||||
|  |  | ||||||
|   services.dhcp6 = |   services.dhcp6 = | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Daniel Barlow
					Daniel Barlow