ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

wip firewall

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2025-08-06 15:40:45 -05:00
parent 2bc38358c8
commit e8a6a2c7ad
1 changed files with 47 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

97
hosts/h003/networking.nix
View file

@ -6,7 +6,6 @@
{ {
networking = { networking = {
# My Switch seems to not let me change management vlan so this is assume native default here for proper routing # My Switch seems to not let me change management vlan so this is assume native default here for proper routing
interfaces.bond0.nativeVlanId = 1;
# Configure bonding (LAG) # Configure bonding (LAG)
bonds = { bonds = {
bond0 = { bond0 = {
@ -24,11 +23,11 @@
# Configure VLANs on the bonded interface # Configure VLANs on the bonded interface
vlans = { vlans = {
vlan1 = { # vlan1 = {
# Management # # Management
id = 1; # id = 1;
interface = "bond0"; # interface = "bond0";
}; # };
vlan10 = { vlan10 = {
# WAN # WAN
id = 10; id = 10;
@ -67,7 +66,8 @@
]; ];
}; };
# Management VLAN 1 # Management VLAN 1
vlan1 = { # vlan1 = {
bond0 = {
ipv4.addresses = [ ipv4.addresses = [
{ {
address = "10.12.16.1"; # Management network address = "10.12.16.1"; # Management network
@ -89,7 +89,8 @@
externalInterface = "vlan10"; # WAN externalInterface = "vlan10"; # WAN
internalInterfaces = [ internalInterfaces = [
"vlan20" "vlan20"
"vlan1" # "vlan1"
"bond0"
]; # LAN/Management ]; # LAN/Management
enableIPv6 = lib.mkIf config.networking.enableIPv6 true; # Enable IPv6 NAT enableIPv6 = lib.mkIf config.networking.enableIPv6 true; # Enable IPv6 NAT
}; };
@ -99,15 +100,13 @@
enable = true; enable = true;
allowPing = true; # For ddiagnostics allowPing = true; # For ddiagnostics
trustedInterfaces = [ # trustedInterfaces = [
"vlan20" # Allow all on LAN # "vlan20" # Allow all on LAN
"vlan1" # Allow all on management # "bond0" # Allow all on management
]; # ];
# Block vlan to vlan communication # Block vlan to vlan communication
filterForward = true; filterForward = true;
# ip saddr 10.12.14.0/24 ip daddr 10.12.16.0/24 drop
# ip6 saddr fd12:14::/64 ip6 daddr fd12:14:1::/64 drop
extraForwardRules = '' extraForwardRules = ''
# Allow established connections (allows return traffic) # Allow established connections (allows return traffic)
ip protocol tcp ct state {established, related} accept ip protocol tcp ct state {established, related} accept
@ -119,7 +118,7 @@
oifname "vlan10" accept oifname "vlan10" accept
# Drop any other forwarding attempts between internal networks # Drop any other forwarding attempts between internal networks
# drop drop
''; '';
interfaces = { interfaces = {
@ -130,39 +129,35 @@
allowedUDPPorts = [ ]; allowedUDPPorts = [ ];
}; };
# # LAN interface (VLAN 20) - FULL SERVICE # LAN interface (VLAN 20) - FULL SERVICE
# vlan20 = { vlan20 = {
# allowedTCPPorts = [ allowedTCPPorts = [
# 22 # SSH (if you want to SSH to your router from LAN devices) 22 # SSH (if you want to SSH to your router from LAN devices)
# 53 # DNS queries 53 # DNS queries
# 80 # HTTP (for local web services) 80
# 443 # HTTPS (for local web services) 443 # HTTP (for local web services)
# # Add other services you run locally (Plex, Home Assistant, etc.) ];
# ]; allowedUDPPorts = [
# allowedUDPPorts = [ 53 # DNS queries
# 53 # DNS queries 67 # DHCP server (dnsmasq)
# 67 # DHCP server (dnsmasq) 68 # DHCP client responses
# 68 # DHCP client responses ];
# # 123 # NTP (if you run a time server) };
# ];
# }; # Management interface (VLAN 1) - LIMITED SERVICE
# bond0 = {
# # Management interface (VLAN 1) - LIMITED SERVICE allowedTCPPorts = [
# vlan1 = { 22 # SSH (for remote admin access)
# allowedTCPPorts = [ 53 # DNS
# 22 # SSH (for remote admin access) 80
# 53 # DNS 443 # HTTP
# 80 # HTTP (to access switch web interface through the router) ];
# 443 allowedUDPPorts = [
# # HTTPS 53 # DNS
# ]; 67 # DHCP server
# allowedUDPPorts = [ 68
# 53 # DNS ];
# 67 # DHCP server };
# 68
# # DHCP client
# ];
# };
}; };
}; };
@ -184,7 +179,8 @@
# Listen only on LAN interface # Listen only on LAN interface
interface = [ interface = [
"vlan20" "vlan20"
"vlan1" # "vlan1"
"bond0"
]; ];
bind-interfaces = true; bind-interfaces = true;
@ -217,7 +213,8 @@
# interface, min interval, max interval # interface, min interval, max interval
ra-param = lib.mkIf config.networking.enableIPv6 [ ra-param = lib.mkIf config.networking.enableIPv6 [
"vlan20,60,120" "vlan20,60,120"
"vlan1,60,120" # "vlan1,60,120"
"bond0,60,120"
]; ];
# DNS settings # DNS settings