From 1ee38b50b050f541b34c2aaa7b9a901ae7b1de99 Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Wed, 14 Apr 2021 20:04:28 +0200
Subject: [PATCH] nixos-module/firewall: add for mgmt-gw, priv13-gw

---
 nix/lib/config/legacy.nix              |  5 +++++
 nix/lib/config/options.nix             |  5 +++++
 nix/nixos-module/container/mgmt-gw.nix |  3 +--
 nix/nixos-module/default.nix           |  1 +
 nix/nixos-module/firewall.nix          | 14 ++++++++++++++
 5 files changed, 26 insertions(+), 2 deletions(-)
 create mode 100644 nix/nixos-module/firewall.nix

diff --git a/nix/lib/config/legacy.nix b/nix/lib/config/legacy.nix
index 09433f1..7361430 100644
--- a/nix/lib/config/legacy.nix
+++ b/nix/lib/config/legacy.nix
@@ -58,6 +58,11 @@ in
 
   config.site.hosts = lib.mkMerge (
     [
+      {
+        mgmt-gw.firewall.enable = true;
+        priv13-gw.firewall.enable = true;
+      }
+
       (builtins.foldl' (result: hostName: result // {
         "${hostName}" = {
           role = "server";
diff --git a/nix/lib/config/options.nix b/nix/lib/config/options.nix
index d00904e..687e288 100644
--- a/nix/lib/config/options.nix
+++ b/nix/lib/config/options.nix
@@ -173,6 +173,11 @@ let
           config.site.net.core.hosts4 ? ${name};
         description = "Should this host route?";
       };
+      firewall.enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Enable firewall to disallow incoming connections from core";
+      };
       forwardPorts = mkOption {
         type = with types; listOf (submodule { options = {
           proto = mkOption {
diff --git a/nix/nixos-module/container/mgmt-gw.nix b/nix/nixos-module/container/mgmt-gw.nix
index d5b3705..d7882e0 100644
--- a/nix/nixos-module/container/mgmt-gw.nix
+++ b/nix/nixos-module/container/mgmt-gw.nix
@@ -1,10 +1,9 @@
 { ... }:
 
 {
+  # (IPv4-only) NAT the mgmt net
   networking.nat = {
     enable = true;
     externalInterface = "core";
   };
-
-  # TODO: firewall
 }
diff --git a/nix/nixos-module/default.nix b/nix/nixos-module/default.nix
index 4dbc6b5..75e9a53 100644
--- a/nix/nixos-module/default.nix
+++ b/nix/nixos-module/default.nix
@@ -13,6 +13,7 @@ in {
     ../lib/config/options.nix
     ./defaults.nix
     ./network.nix
+    ./firewall.nix
     ./collectd
   ] ++
   optionals (hostConfig.role == "server") [
diff --git a/nix/nixos-module/firewall.nix b/nix/nixos-module/firewall.nix
new file mode 100644
index 000000000..31369f8
--- /dev/null
+++ b/nix/nixos-module/firewall.nix
@@ -0,0 +1,14 @@
+{ hostName, config, lib, ... }:
+
+lib.mkIf config.site.hosts.${hostName}.firewall.enable {
+  networking.firewall = {
+    enable = true;
+    extraCommands = ''
+      ip46tables -A FORWARD -i core -m state --state ESTABLISHED,RELATED -j ACCEPT
+      ip46tables -A FORWARD -i core -j REJECT --reject-with net-unreach
+    '';
+    extraStopCommands = ''
+      ip46tables -F FORWARD
+    '';
+  };
+}