1 files changed, 47 insertions, 1 deletions

diff --git a/config/ap.nix b/config/ap.nix
index 59d79de..f168910 100644
--- a/config/ap.nix
+++ b/config/ap.nix
@@ -7,7 +7,7 @@ in
   networking.networkmanager.enable = lib.mkForce false;
 
   networking.firewall = {
-    enable = lib.mkForce true;
+    enable = lib.mkForce false;
     allowedTCPPorts = lib.mkForce [ ];
     allowedUDPPorts = lib.mkForce [ ];
     allowPing = true;
@@ -16,6 +16,52 @@ in
     trustedInterfaces = [ "${lan-dev}" ];
   };
 
+  services.ferm = {
+    enable = true;
+    config = ''
+      @def $DEV_LAN = ${lan-dev};
+      @def $DEV_WAN = ${wan-dev};
+      @def $NET_LAN = 10.64.30.0/24;
+
+      domain ip6 table filter chain INPUT {
+        proto ipv6-icmp ACCEPT;
+      }
+
+      domain (ip ip6) table filter {
+        chain INPUT {
+          policy DROP;
+
+          mod state state INVALID DROP;
+          mod state state (ESTABLISHED RELATED) ACCEPT;
+
+          interface lo ACCEPT;
+          proto icmp icmp-type echo-request ACCEPT;
+
+          interface $DEV_LAN {
+            proto (tcp udp) dport (ssh domain bootps) ACCEPT;
+          }
+        }
+
+        chain OUTPUT policy ACCEPT;
+
+        chain FORWARD {
+          policy DROP;
+
+          mod state state INVALID DROP;
+          mod state state (ESTABLISHED RELATED) ACCEPT;
+
+          interface $DEV_LAN ACCEPT;
+        }
+      }
+
+      table nat {
+        chain POSTROUTING {
+          saddr $NET_LAN outerface $DEV_WAN MASQUERADE;
+        }
+      }
+    '';
+  };
+
   services = {
     openssh.enable = lib.mkDefault true;
     openssh.passwordAuthentication = false;