network/nix/nixos-module/firewall.nix

22 lines
513 B
Nix

{ hostName, config, lib, ... }:
let
hostConfig = config.site.hosts.${hostName};
in {
networking.firewall = lib.mkIf hostConfig.firewall.enable {
enable = true;
extraCommands = ''
${lib.optionalString hostConfig.isRouter ''
ip46tables -I nixos-fw -p ospfigp -j ACCEPT
''}
ip46tables -A FORWARD -i core -m state --state ESTABLISHED,RELATED -j ACCEPT
ip46tables -A FORWARD -i core -j REJECT
'';
extraStopCommands = ''
ip46tables -F FORWARD
'';
};
}