From 9ed7a2aec8dcfc6cc39818c20533b423fd83c343 Mon Sep 17 00:00:00 2001
From: Mark Nipper <nipsy@bitgnome.net>
Date: Wed, 19 Jun 2024 19:42:19 -0700
Subject: Adjust firewall rules

---
 hosts/darkstar/default.nix | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

(limited to 'hosts')

diff --git a/hosts/darkstar/default.nix b/hosts/darkstar/default.nix
index 0c4596b..a3d82e1 100644
--- a/hosts/darkstar/default.nix
+++ b/hosts/darkstar/default.nix
@@ -87,7 +87,6 @@
       "kea-dhcp4_conf" = {};
       "nftables/forward" = {};
       "nftables/ssh" = {};
-      "nftables/voip" = {};
     };
   };
 
@@ -96,9 +95,15 @@
   systemd.services."nftables-extra" = {
     description = "nftables extra firewall rules";
     script = ''
+      ${pkgs.nftables}/bin/nft -a list chain inet nixos-fw input | ${pkgs.gnugrep}/bin/grep @anveo | ${pkgs.gnugrep}/bin/grep -Eo 'handle [[:digit:]]+$' | ${pkgs.gnused}/bin/sed -e 's/^handle //' | while read handle; do ${pkgs.nftables}/bin/nft delete rule inet nixos-fw input handle ${handle}; done
+      if ${pkgs.nftables}/bin/nft list set inet nixos-fw anveo 2>/dev/null; then ${pkgs.nftables}/bin/nft delete set inet nixos-fw anveo; fi
+      if ${pkgs.nftables}/bin/nft list ct helpers table inet nixos-fw | ${pkgs.gnugrep}/bin/grep -qE '^[[:space:]]*ct helper sip-5060 {$'; then ${pkgs.nftables}/bin/nft delete ct helper inet nixos-fw sip-5060; fi
+      ${pkgs.nftables}/bin/nft add ct helper inet nixos-fw sip-5060 '{type "sip" protocol udp;}'
+      ${pkgs.nftables}/bin/nft add set inet nixos-fw anveo '{type ipv4_addr; elements={ 72.9.149.25, 169.48.232.158, 176.9.39.206, 204.216.109.55 };}'
+      ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "vlan201" udp dport sip ip saddr @anveo ct helper set "sip-5060"'
+      ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "vlan201" udp dport sip ip saddr @anveo accept'
       ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/forward".path}
       ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path}
-      ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/voip".path}
     '';
     serviceConfig = {
       RemainAfterExit = true;
@@ -108,7 +113,6 @@
       ConditionPathExists = [
         config.sops.secrets."nftables/forward".path
         config.sops.secrets."nftables/ssh".path
-        config.sops.secrets."nftables/voip".path
       ];
     };
     wantedBy = [ "multi-user.target" ];
@@ -118,7 +122,6 @@
       PathExists = [
         config.sops.secrets."nftables/forward".path
         config.sops.secrets."nftables/ssh".path
-        config.sops.secrets."nftables/voip".path
       ];
     };
     wantedBy = [ "multi-user.target" ];
-- 
cgit v1.2.3