From 94676e929ed1f959325839ee23b6ef416f50a524 Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Fri, 13 Jan 2023 17:22:29 +0000 Subject: [PATCH] feat: basic firewall config to test it out --- applications/firewall.nix | 51 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 applications/firewall.nix diff --git a/applications/firewall.nix b/applications/firewall.nix new file mode 100644 index 0000000..83fd939 --- /dev/null +++ b/applications/firewall.nix @@ -0,0 +1,51 @@ +{ + + networking.nftables.enable = true; + + # fules for the + networking.nftables.ruleset = '' + # Check out https://wiki.nftables.org/ for better documentation. + # Table for both IPv4 and IPv6. + table inet filter { + # Block all incomming connections traffic except SSH and "ping". + chain input { + type filter hook input priority 0; + + # accept any localhost traffic + iifname lo accept + + # accept traffic originated from us + ct state {established, related} accept + + # ICMP + # routers may also want: mld-listener-query, nd-router-solicit + ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept + ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept + + # allow "ping" + ip6 nexthdr icmpv6 icmpv6 type echo-request accept + ip protocol icmp icmp type echo-request accept + + # accept SSH connections (required for a server) + tcp dport 22 accept + # tcp dport 21 accept + + # count and drop any other traffic + counter drop + } + + # Allow all outgoing connections. + chain output { + type filter hook output priority 0; + accept + } + + chain forward { + type filter hook forward priority 0; + accept + } + } + ''; + + +}