From e97e7d5ab6338755a043900509c265478fd18d12 Mon Sep 17 00:00:00 2001
From: Kjetil Orbekk <kjetil.orbekk@gmail.com>
Date: Sat, 12 Oct 2019 14:37:22 -0400
Subject: ferm

---
 config/ap.nix          | 48 +++++++++++++++++++++++++++++++++++++++++++++++-
 machines/x1-pincer.nix |  6 ------
 2 files changed, 47 insertions(+), 7 deletions(-)

diff --git a/config/ap.nix b/config/ap.nix
index 59d79de..f168910 100644
--- a/config/ap.nix
+++ b/config/ap.nix
@@ -7,7 +7,7 @@ in
   networking.networkmanager.enable = lib.mkForce false;
 
   networking.firewall = {
-    enable = lib.mkForce true;
+    enable = lib.mkForce false;
     allowedTCPPorts = lib.mkForce [ ];
     allowedUDPPorts = lib.mkForce [ ];
     allowPing = true;
@@ -16,6 +16,52 @@ in
     trustedInterfaces = [ "${lan-dev}" ];
   };
 
+  services.ferm = {
+    enable = true;
+    config = ''
+      @def $DEV_LAN = ${lan-dev};
+      @def $DEV_WAN = ${wan-dev};
+      @def $NET_LAN = 10.64.30.0/24;
+
+      domain ip6 table filter chain INPUT {
+        proto ipv6-icmp ACCEPT;
+      }
+
+      domain (ip ip6) table filter {
+        chain INPUT {
+          policy DROP;
+
+          mod state state INVALID DROP;
+          mod state state (ESTABLISHED RELATED) ACCEPT;
+
+          interface lo ACCEPT;
+          proto icmp icmp-type echo-request ACCEPT;
+
+          interface $DEV_LAN {
+            proto (tcp udp) dport (ssh domain bootps) ACCEPT;
+          }
+        }
+
+        chain OUTPUT policy ACCEPT;
+
+        chain FORWARD {
+          policy DROP;
+
+          mod state state INVALID DROP;
+          mod state state (ESTABLISHED RELATED) ACCEPT;
+
+          interface $DEV_LAN ACCEPT;
+        }
+      }
+
+      table nat {
+        chain POSTROUTING {
+          saddr $NET_LAN outerface $DEV_WAN MASQUERADE;
+        }
+      }
+    '';
+  };
+
   services = {
     openssh.enable = lib.mkDefault true;
     openssh.passwordAuthentication = false;
diff --git a/machines/x1-pincer.nix b/machines/x1-pincer.nix
index cb725e2..246ab0d 100644
--- a/machines/x1-pincer.nix
+++ b/machines/x1-pincer.nix
@@ -15,12 +15,6 @@
   # services.displayManager.slim.enable = lib.mkForce false;
   # services.xserver.desktopManager.kodi.enable = true;
 
-  services.ferm = {
-    enable = false;
-    config = ''
-    '';
-  };
-
   boot = {
     kernelPackages = pkgs.linuxPackages_latest;
     kernelModules = ["xpad"];
-- 
cgit v1.2.3