From addb063cee3e47858542916ed56dfc1ef0b9b394 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Fri, 1 Dec 2023 00:13:21 +0100
Subject: [PATCH] try some fw stuff

---
 hosts/fw.cloonar.com/modules/firewall.nix   |  8 +++-
 hosts/fw.cloonar.com/modules/networking.nix | 42 ++++++++++-----------
 2 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix
index 5b3c9ef..f03ba91 100644
--- a/hosts/fw.cloonar.com/modules/firewall.nix
+++ b/hosts/fw.cloonar.com/modules/firewall.nix
@@ -52,10 +52,14 @@
             # Allow returning traffic from wg_cloonar and drop everthing else
             iifname "wg_cloonar" ct state { established, related } counter accept
             iifname "wg_cloonar" drop
+
+            iifname "wan" ct state { established, related } accept comment "Allow established traffic"
+            iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
+            iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan"
           }
 
           chain forward {
-            type filter hook forward priority filter; policy accept;
+            type filter hook forward priority filter; policy drop;
 
             # enable flow offloading for better throughput
             # ip protocol { tcp, udp } flow offload @f
@@ -87,7 +91,7 @@
               "multimedia",
               "smart",
               "wg_cloonar",
-            } ct state established,related counter accept comment "Allow established back to LANs"
+            } ct state { established, related } counter accept comment "Allow established back to LANs"
           }
         }
 
diff --git a/hosts/fw.cloonar.com/modules/networking.nix b/hosts/fw.cloonar.com/modules/networking.nix
index 9630af5..aa011fa 100644
--- a/hosts/fw.cloonar.com/modules/networking.nix
+++ b/hosts/fw.cloonar.com/modules/networking.nix
@@ -2,34 +2,30 @@
   boot.kernel.sysctl = {
     # if you use ipv4, this is all you need
     "net.ipv4.conf.all.forwarding" = true;
-
     # If you want to use it for ipv6
-    "net.ipv6.conf.all.forwarding" = true;
-
-    # source: https://github.com/mdlayher/homelab/blob/master/nixos/routnerr-2/configuration.nix#L52
-    # By default, not automatically configure any IPv6 addresses.
-    "net.ipv6.conf.all.accept_ra" = 0;
-    "net.ipv6.conf.all.autoconf" = 0;
-    "net.ipv6.conf.all.use_tempaddr" = 0;
-
-    # On WAN, allow IPv6 autoconfiguration and tempory address use.
-    # "net.ipv6.conf.${name}.accept_ra" = 2;
-    # "net.ipv6.conf.${name}.autoconf" = 1;
+    "net.ipv6.conf.all.forwarding" = false;
   };
 
-  systemd.network.links."10-wan" = {
-    matchConfig.PermanentMACAddress = "a8:b8:e0:00:43:c1";
-    linkConfig.Name = "wan";
-  };
-  systemd.network.links."20-lan" = {
-    matchConfig.PermanentMACAddress = "a8:b8:e0:00:43:c2";
-    linkConfig.Name = "lan";
-  };
-  systemd.network.links."30-server" = {
-    matchConfig.PermanentMACAddress = "a8:b8:e0:00:43:c3";
-    linkConfig.Name = "server";
+  systemd.network = {
+    wait-online.anyInterface = true;
+    inks = {
+      "10-wan" = {
+        matchConfig.PermanentMACAddress = "a8:b8:e0:00:43:c1";
+        linkConfig.Name = "wan";
+        linkConfig.RequiredForOnline = "routable";
+      };
+      "20-lan" = {
+        matchConfig.PermanentMACAddress = "a8:b8:e0:00:43:c2";
+        linkConfig.Name = "lan";
+      };
+      "30-server" = {
+        matchConfig.PermanentMACAddress = "a8:b8:e0:00:43:c3";
+        linkConfig.Name = "server";
+      };
+    };
   };
 
+
   networking = {
     useDHCP = false;
     nameservers = [ "9.9.9.9" "149.112.112.112" ];