fix up some opensnitch rules

This commit is contained in:
Grimmauld 2024-10-12 11:49:48 +02:00
parent 96d240c517
commit 76efedce92
Signed by: Grimmauld
GPG Key ID: C2946668769F91FB
2 changed files with 90 additions and 23 deletions

View File

@ -5,7 +5,7 @@
... ...
}: }:
let let
inherit (config.grimmShared) enable tooling graphical; inherit (config.grimmShared) enable tooling graphical network;
inherit (lib) inherit (lib)
optional optional
getBin getBin
@ -15,13 +15,20 @@ let
escapeRegex escapeRegex
getVersion getVersion
mkIf mkIf
filter
split
strings
concatStringsSep
length
isString
; ;
local_network = [ "192.168.0.0/16" "10.0.0.0/8" "172.16.0.0/12" "fc00::/7" ]; local_network = [ "192.168.0.0/16" "10.0.0.0/8" "172.16.0.0/12" "fc00::/7" ];
local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network); local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network);
in in
{ {
config = mkIf (enable && tooling.enable) { config = mkIf (enable && tooling.enable && network) {
environment.systemPackages = optional graphical pkgs.opensnitch-ui; environment.systemPackages = optional graphical pkgs.opensnitch-ui;
grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui; grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui;
@ -157,9 +164,9 @@ in
operand = "list"; operand = "list";
list = [ list = [
{ {
type = "simple"; type = "regexp";
operand = "dest.port"; operand = "dest.port";
data = "443"; data = "443|53";
} }
{ {
type ="regexp"; type ="regexp";
@ -359,9 +366,9 @@ in
data = getExe' config.services.avahi.package "avahi-daemon"; data = getExe' config.services.avahi.package "avahi-daemon";
} }
{ {
type = "simple"; type = "regexp";
operand = "dest.port"; operand = "dest.port";
data = "5353"; data = "5353|53";
} }
{ {
type = "simple"; type = "simple";
@ -372,6 +379,48 @@ in
}; };
}; };
icmp = {
name = "icmp";
enabled = true;
action = "allow";
duration = "always";
operator = {
type ="regexp";
operand = "protocol";
sensitive = false;
data = "icmp(4|6)?";
};
};
network-manager = mkIf (config.networking.networkmanager.enable) {
name = "network-manager";
enabled = true;
action = "allow";
duration = "always";
operator = {
type = "list";
operand = "list";
list = [
{
type ="simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.networkmanager "networkmanager";
}
{
type ="simple";
operand = "dest.port";
data = "547";
}
# {
# type ="simple";
# operand = "dest.network";
# data = "ff02::1:2";
# }
];
};
};
cups-filters = mkIf (config.services.printing.enable) { cups-filters = mkIf (config.services.printing.enable) {
name = "cups-filters"; name = "cups-filters";
enabled = true; enabled = true;
@ -385,12 +434,12 @@ in
type ="simple"; type ="simple";
sensitive = false; sensitive = false;
operand = "process.path"; operand = "process.path";
data = lib.getExe' pkgs.cups-filters "cups-browsed"; data = getExe' pkgs.cups-filters "cups-browsed";
} }
{ {
type ="regexp"; type ="regexp";
operand = "dest.port"; operand = "dest.port";
data = "53"; data = "53|631";
} }
{ {
type = "lists"; type = "lists";
@ -440,11 +489,29 @@ in
enabled = true; enabled = true;
action = "allow"; action = "allow";
duration = "always"; duration = "always";
operator = { operator = {
type ="simple"; type = "list";
sensitive = false; operand = "list";
operand = "process.path"; list = [
data = getExe' pkgs.nextcloud-client ".nextcloudcmd-wrapped"; {
type ="simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.nextcloud-client ".nextcloudcmd-wrapped";
}
{
type = "regexp";
sensitive = false;
operand = "dest.host";
data = let l = (filter isString (split "\\." config.grimmShared.cloudSync.server)); in (strings.replicate ((length l) - 1) "(") + (concatStringsSep "\\.)?" l);
# config.grimmShared.cloudSync.server;
}
{
type ="regexp";
operand = "dest.port";
data = "443|53";
}
];
}; };
}; };
}; };

View File

@ -5,10 +5,10 @@
"homepage": null, "homepage": null,
"owner": "ezKEa", "owner": "ezKEa",
"repo": "aagl-gtk-on-nix", "repo": "aagl-gtk-on-nix",
"rev": "7f7b8a654dac5117db22b97a01d3975acdb359b4", "rev": "5611dd61df02e0bc5d62bb3f5388821d8854faff",
"sha256": "18prm208issqgfikgahv2xr0hzwkghl2sj3y8aj2xi5x1j4id3sl", "sha256": "1v9jk4j0zylx3ixwk5q8z22v6ir86pk9lfbf5q3ibgaggpf8kqa7",
"type": "tarball", "type": "tarball",
"url": "https://github.com/ezKEa/aagl-gtk-on-nix/archive/7f7b8a654dac5117db22b97a01d3975acdb359b4.tar.gz", "url": "https://github.com/ezKEa/aagl-gtk-on-nix/archive/5611dd61df02e0bc5d62bb3f5388821d8854faff.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}, },
"agenix": { "agenix": {
@ -41,10 +41,10 @@
"homepage": "https://nyx.chaotic.cx", "homepage": "https://nyx.chaotic.cx",
"owner": "chaotic-cx", "owner": "chaotic-cx",
"repo": "nyx", "repo": "nyx",
"rev": "371ba355dfb49d6c047525d078ee58b65f03e334", "rev": "d73c548a001f367048d4f22cf2ae626cd2002503",
"sha256": "195p4mzisa9vxmzlh3yr2whb4h4wh5zxk4wcs3dp7drdai6ysfxl", "sha256": "0d4353i57y979sd3d95i3sn1fax6bnip9hibavx06bbckwl9h2dx",
"type": "tarball", "type": "tarball",
"url": "https://github.com/chaotic-cx/nyx/archive/371ba355dfb49d6c047525d078ee58b65f03e334.tar.gz", "url": "https://github.com/chaotic-cx/nyx/archive/d73c548a001f367048d4f22cf2ae626cd2002503.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}, },
"glibc-eac": { "glibc-eac": {
@ -68,7 +68,7 @@
"lix-pkg": { "lix-pkg": {
"branch": "main", "branch": "main",
"repo": "https://git.lix.systems/lix-project/lix.git", "repo": "https://git.lix.systems/lix-project/lix.git",
"rev": "5df2cccc4956e53b56ba1613e36d64dc8057c508", "rev": "9865ebaaa618d82a7b7fdccc636cbaa7dfa42427",
"type": "git" "type": "git"
}, },
"nixos-mailserver": { "nixos-mailserver": {
@ -95,10 +95,10 @@
"homepage": null, "homepage": null,
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "bc947f541ae55e999ffdb4013441347d83b00feb", "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7",
"sha256": "06187qzdapb6ghymwvzcv02bxbw7h1v6r4aywjg86b6i2sy97s1l", "sha256": "0p3ry8x72cl572fs1c47h9y3s045p4aq71wpblzdi4dfqx3z2i7m",
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/bc947f541ae55e999ffdb4013441347d83b00feb.tar.gz", "url": "https://github.com/NixOS/nixpkgs/archive/5633bcff0c6162b9e4b5f1264264611e950c8ec7.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}, },
"ranger_udisk_menu": { "ranger_udisk_menu": {