nixos-module/firewall: add for mgmt-gw, priv13-gw

nix/lib/config/legacy.nix

@@ -58,6 +58,11 @@ in
 
   config.site.hosts = lib.mkMerge (
     [
+      {
+        mgmt-gw.firewall.enable = true;
+        priv13-gw.firewall.enable = true;
+      }
+
       (builtins.foldl' (result: hostName: result // {
         "${hostName}" = {
           role = "server";

nix/lib/config/options.nix

@@ -173,6 +173,11 @@ let
           config.site.net.core.hosts4 ? ${name};
         description = "Should this host route?";
       };
+      firewall.enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Enable firewall to disallow incoming connections from core";
+      };
       forwardPorts = mkOption {
         type = with types; listOf (submodule { options = {
           proto = mkOption {

nix/nixos-module/container/mgmt-gw.nix

@@ -1,10 +1,9 @@
 { ... }:
 
 {
+  # (IPv4-only) NAT the mgmt net
   networking.nat = {
     enable = true;
     externalInterface = "core";
   };
-
-  # TODO: firewall
 }

nix/nixos-module/default.nix

@@ -13,6 +13,7 @@ in {
     ../lib/config/options.nix
     ./defaults.nix
     ./network.nix
+    ./firewall.nix
     ./collectd
   ] ++
   optionals (hostConfig.role == "server") [

nix/nixos-module/firewall.nix

@@ -0,0 +1,14 @@
+{ hostName, config, lib, ... }:
+
+lib.mkIf config.site.hosts.${hostName}.firewall.enable {
+  networking.firewall = {
+    enable = true;
+    extraCommands = ''
+      ip46tables -A FORWARD -i core -m state --state ESTABLISHED,RELATED -j ACCEPT
+      ip46tables -A FORWARD -i core -j REJECT --reject-with net-unreach
+    '';
+    extraStopCommands = ''
+      ip46tables -F FORWARD
+    '';
+  };
+}