diff options
| author | Kjetil Orbekk <kjetil.orbekk@gmail.com> | 2019-10-12 14:37:22 -0400 |
|---|---|---|
| committer | Kjetil Orbekk <kjetil.orbekk@gmail.com> | 2019-10-12 14:37:22 -0400 |
| commit | e97e7d5ab6338755a043900509c265478fd18d12 (patch) | |
| tree | 1a09cb17ec88e6977bc458250f8157c219ac90e4 | |
| parent | 45bde3aa250d4c65653e3e45b282f8757b37f971 (diff) | |
ferm
| -rw-r--r-- | config/ap.nix | 48 | ||||
| -rw-r--r-- | machines/x1-pincer.nix | 6 |
2 files changed, 47 insertions, 7 deletions
diff --git a/config/ap.nix b/config/ap.nix index 59d79de..f168910 100644 --- a/config/ap.nix +++ b/config/ap.nix @@ -7,7 +7,7 @@ in networking.networkmanager.enable = lib.mkForce false; networking.firewall = { - enable = lib.mkForce true; + enable = lib.mkForce false; allowedTCPPorts = lib.mkForce [ ]; allowedUDPPorts = lib.mkForce [ ]; allowPing = true; @@ -16,6 +16,52 @@ in trustedInterfaces = [ "${lan-dev}" ]; }; + services.ferm = { + enable = true; + config = '' + @def $DEV_LAN = ${lan-dev}; + @def $DEV_WAN = ${wan-dev}; + @def $NET_LAN = 10.64.30.0/24; + + domain ip6 table filter chain INPUT { + proto ipv6-icmp ACCEPT; + } + + domain (ip ip6) table filter { + chain INPUT { + policy DROP; + + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + interface lo ACCEPT; + proto icmp icmp-type echo-request ACCEPT; + + interface $DEV_LAN { + proto (tcp udp) dport (ssh domain bootps) ACCEPT; + } + } + + chain OUTPUT policy ACCEPT; + + chain FORWARD { + policy DROP; + + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + interface $DEV_LAN ACCEPT; + } + } + + table nat { + chain POSTROUTING { + saddr $NET_LAN outerface $DEV_WAN MASQUERADE; + } + } + ''; + }; + services = { openssh.enable = lib.mkDefault true; openssh.passwordAuthentication = false; diff --git a/machines/x1-pincer.nix b/machines/x1-pincer.nix index cb725e2..246ab0d 100644 --- a/machines/x1-pincer.nix +++ b/machines/x1-pincer.nix @@ -15,12 +15,6 @@ # services.displayManager.slim.enable = lib.mkForce false; # services.xserver.desktopManager.kodi.enable = true; - services.ferm = { - enable = false; - config = '' - ''; - }; - boot = { kernelPackages = pkgs.linuxPackages_latest; kernelModules = ["xpad"]; |