From 76efedce9289a5da25dd3b3f38ecea2a8c0e5c7c Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sat, 12 Oct 2024 11:49:48 +0200 Subject: [PATCH] fix up some opensnitch rules --- common/tooling/opensnitch/default.nix | 93 +++++++++++++++++++++++---- nix/sources.json | 20 +++--- 2 files changed, 90 insertions(+), 23 deletions(-) diff --git a/common/tooling/opensnitch/default.nix b/common/tooling/opensnitch/default.nix index 044f755..72dbf55 100644 --- a/common/tooling/opensnitch/default.nix +++ b/common/tooling/opensnitch/default.nix @@ -5,7 +5,7 @@ ... }: let - inherit (config.grimmShared) enable tooling graphical; + inherit (config.grimmShared) enable tooling graphical network; inherit (lib) optional getBin @@ -15,13 +15,20 @@ let escapeRegex getVersion mkIf + + filter + split + strings + concatStringsSep + length + isString ; local_network = [ "192.168.0.0/16" "10.0.0.0/8" "172.16.0.0/12" "fc00::/7" ]; local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network); in { - config = mkIf (enable && tooling.enable) { + config = mkIf (enable && tooling.enable && network) { environment.systemPackages = optional graphical pkgs.opensnitch-ui; grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui; @@ -157,9 +164,9 @@ in operand = "list"; list = [ { - type = "simple"; + type = "regexp"; operand = "dest.port"; - data = "443"; + data = "443|53"; } { type ="regexp"; @@ -359,9 +366,9 @@ in data = getExe' config.services.avahi.package "avahi-daemon"; } { - type = "simple"; + type = "regexp"; operand = "dest.port"; - data = "5353"; + data = "5353|53"; } { type = "simple"; @@ -372,6 +379,48 @@ in }; }; + icmp = { + name = "icmp"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type ="regexp"; + operand = "protocol"; + sensitive = false; + data = "icmp(4|6)?"; + }; + }; + + network-manager = mkIf (config.networking.networkmanager.enable) { + name = "network-manager"; + enabled = true; + action = "allow"; + duration = "always"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type ="simple"; + sensitive = false; + operand = "process.path"; + data = getExe' pkgs.networkmanager "networkmanager"; + } + { + type ="simple"; + operand = "dest.port"; + data = "547"; + } + # { + # type ="simple"; + # operand = "dest.network"; + # data = "ff02::1:2"; + # } + ]; + }; + }; + cups-filters = mkIf (config.services.printing.enable) { name = "cups-filters"; enabled = true; @@ -385,12 +434,12 @@ in type ="simple"; sensitive = false; operand = "process.path"; - data = lib.getExe' pkgs.cups-filters "cups-browsed"; + data = getExe' pkgs.cups-filters "cups-browsed"; } { type ="regexp"; operand = "dest.port"; - data = "53"; + data = "53|631"; } { type = "lists"; @@ -440,11 +489,29 @@ in enabled = true; action = "allow"; duration = "always"; - operator = { - type ="simple"; - sensitive = false; - operand = "process.path"; - data = getExe' pkgs.nextcloud-client ".nextcloudcmd-wrapped"; + operator = { + type = "list"; + operand = "list"; + list = [ + { + type ="simple"; + sensitive = false; + operand = "process.path"; + data = getExe' pkgs.nextcloud-client ".nextcloudcmd-wrapped"; + } + { + type = "regexp"; + sensitive = false; + operand = "dest.host"; + data = let l = (filter isString (split "\\." config.grimmShared.cloudSync.server)); in (strings.replicate ((length l) - 1) "(") + (concatStringsSep "\\.)?" l); + # config.grimmShared.cloudSync.server; + } + { + type ="regexp"; + operand = "dest.port"; + data = "443|53"; + } + ]; }; }; }; diff --git a/nix/sources.json b/nix/sources.json index e344d51..b0dad81 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -5,10 +5,10 @@ "homepage": null, "owner": "ezKEa", "repo": "aagl-gtk-on-nix", - "rev": "7f7b8a654dac5117db22b97a01d3975acdb359b4", - "sha256": "18prm208issqgfikgahv2xr0hzwkghl2sj3y8aj2xi5x1j4id3sl", + "rev": "5611dd61df02e0bc5d62bb3f5388821d8854faff", + "sha256": "1v9jk4j0zylx3ixwk5q8z22v6ir86pk9lfbf5q3ibgaggpf8kqa7", "type": "tarball", - "url": "https://github.com/ezKEa/aagl-gtk-on-nix/archive/7f7b8a654dac5117db22b97a01d3975acdb359b4.tar.gz", + "url": "https://github.com/ezKEa/aagl-gtk-on-nix/archive/5611dd61df02e0bc5d62bb3f5388821d8854faff.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "agenix": { @@ -41,10 +41,10 @@ "homepage": "https://nyx.chaotic.cx", "owner": "chaotic-cx", "repo": "nyx", - "rev": "371ba355dfb49d6c047525d078ee58b65f03e334", - "sha256": "195p4mzisa9vxmzlh3yr2whb4h4wh5zxk4wcs3dp7drdai6ysfxl", + "rev": "d73c548a001f367048d4f22cf2ae626cd2002503", + "sha256": "0d4353i57y979sd3d95i3sn1fax6bnip9hibavx06bbckwl9h2dx", "type": "tarball", - "url": "https://github.com/chaotic-cx/nyx/archive/371ba355dfb49d6c047525d078ee58b65f03e334.tar.gz", + "url": "https://github.com/chaotic-cx/nyx/archive/d73c548a001f367048d4f22cf2ae626cd2002503.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "glibc-eac": { @@ -68,7 +68,7 @@ "lix-pkg": { "branch": "main", "repo": "https://git.lix.systems/lix-project/lix.git", - "rev": "5df2cccc4956e53b56ba1613e36d64dc8057c508", + "rev": "9865ebaaa618d82a7b7fdccc636cbaa7dfa42427", "type": "git" }, "nixos-mailserver": { @@ -95,10 +95,10 @@ "homepage": null, "owner": "NixOS", "repo": "nixpkgs", - "rev": "bc947f541ae55e999ffdb4013441347d83b00feb", - "sha256": "06187qzdapb6ghymwvzcv02bxbw7h1v6r4aywjg86b6i2sy97s1l", + "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7", + "sha256": "0p3ry8x72cl572fs1c47h9y3s045p4aq71wpblzdi4dfqx3z2i7m", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/bc947f541ae55e999ffdb4013441347d83b00feb.tar.gz", + "url": "https://github.com/NixOS/nixpkgs/archive/5633bcff0c6162b9e4b5f1264264611e950c8ec7.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "ranger_udisk_menu": {