router: firewall: proper filtering for hosts proxied by cloudflare

2025-03-26 00:24:16 -07:00
7 changed files with 14 additions and 63 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1745001336,
+        "lastModified": 1742957044,
-        "narHash": "sha256-R4HuzrgYtOYBNmB3lfRxcieHEBO4uSfgHNz4MzWkZ5M=",
+        "narHash": "sha256-gwW0tBIA77g6qq45y220drTy0DmThF3fJMwVFUtYV9c=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "fc09cb7aaadb70d6c4898654ffc872f0d2415df9",
+        "rev": "ce287a5cd3ef78203bc78021447f937a988d9f6f",
        "type": "github"
      },
      "original": {
@@ -58,11 +58,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1744932701,
+        "lastModified": 1742669843,
-        "narHash": "sha256-fusHbZCyv126cyArUwwKrLdCkgVAIaa/fQJYFlCEqiU=",
+        "narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef",
+        "rev": "1e5b653dff12029333a6546c11e108ede13052eb",
        "type": "github"
      },
      "original": {
--- a/home/default.nix
+++ b/home/default.nix
@@ -19,7 +19,6 @@ in
    SHELL = "fish";
  };
  # TODO: remove (replace by bitwarden-desktop)
  services.gnome-keyring = {
    enable = true;
    components = [ "pkcs11" "ssh" ];
@@ -162,7 +161,6 @@ in
        shellExpand = true;
      };
      dolphinrc.General.ShowFullPath = true;
      dolphinrc.DetailsMode.PreviewSize.persistent = true;
      kactivitymanagerdrc = {
        activities."809dc779-bf5b-49e6-8e3f-cbe283cb05b6" = "Default";
        activities."b34a506d-ac4f-4797-8c08-6ef45bc49341" = "Fun";
--- a/hosts/Yura-PC/default.nix
+++ b/hosts/Yura-PC/default.nix
@@ -32,7 +32,7 @@
  boot.loader.timeout = 3;
  boot.loader.systemd-boot.configurationLimit = 5;
-  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_13;
+  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_12;
  # https://nixos.wiki/wiki/Accelerated_Video_Playback
  hardware.graphics = {
@@ -125,7 +125,6 @@
      # Nix
      nixd
      nil
      # Gleam
      gleam
@@ -238,14 +237,12 @@
    whois
    yt-dlp
  ] ++ [
    bitwarden-desktop
    darkman
    host-spawn # for flatpaks
    kdePackages.filelight
    kdePackages.flatpak-kcm
    kdePackages.kate
    kdePackages.yakuake
    # TODO: remove (replace by bitwarden-desktop)
    gcr
    gnome-keyring # config for this and some others
    mpv
@@ -264,7 +261,6 @@
    jetbrains.webstorm
    android-studio
    rustup
    zed-editor
  ];
  # Some programs need SUID wrappers, can be configured further or are
--- a/hosts/router/firewall.nix
+++ b/hosts/router/firewall.nix
@@ -20,9 +20,8 @@ in
          ${ifs.lan40.name},
          ${ifs.lan50.name},
      }
-      define OPNSENSE_NET6 = ${vars.extra.opnsense.net6}
+      define OPNSENSE_NET6 = ${pdFromWan}d::/64
      define ZONE_LAN_EXTRA_NET6 = {
          # TODO: reevaluate this statement
          ${ifs.lan20.net6},  # needed since packets can come in from wan on these addrs
          $OPNSENSE_NET6,
      }
@@ -30,7 +29,6 @@ in
      define CLOUDFLARE_NET6 = {
          # https://www.cloudflare.com/ips-v6
          # TODO: figure out a better way to get addrs dynamically from url
          # perhaps building a nixos module/package that fetches the ips?
          2400:cb00::/32,
          2606:4700::/32,
          2803:f800::/32,
@@ -127,7 +125,7 @@ in
          meta l4proto . ip6 daddr . th dport @port_forward_v6 accept
          # Allowed IPv6 from cloudflare
-          ip6 saddr $CLOUDFLARE_NET6 ip6 daddr @cloudflare_forward_v6 th dport https accept
+          ip6 saddr $CLOUDFLARE_NET6 ip6 daddr @cloudflare_forward_v6 accept
      }
      chain zone_lan_input {
--- a/hosts/router/ifconfig.nix
+++ b/hosts/router/ifconfig.nix
@@ -46,12 +46,6 @@ let
  };
 in
 {
  # By default, Linux will respond to ARP requests that belong to other interfaces.
  # Normally this isn't a problem, but it causes issues
  # since my WAN and LAN20 are technically bridged.
  # https://networkengineering.stackexchange.com/questions/83071/why-linux-answers-arp-requests-for-ips-that-belong-to-different-network-interfac
  boot.kernel.sysctl."net.ipv4.conf.default.arp_filter" = 1;
  # It is impossible to do multiple prefix requests with networkd,
  # so I use dhcpcd for this
  # https://github.com/systemd/systemd/issues/22571
@@ -150,7 +144,6 @@ in
          ifs.lan40.name
          ifs.lan50.name
        ];
        routes = vars.extra.opnsense.routes;
      };
      "30-vlan10" = mkLanConfig ifs.lan10;
      "30-vlan20" = mkLanConfig ifs.lan20;
--- a/hosts/router/services.nix
+++ b/hosts/router/services.nix
@@ -4,16 +4,6 @@ let
  domain = vars.domain;
 in
 {
  services.miniupnpd = {
    enable = true;
    natpmp = true;
    externalInterface = vars.ifs.wan.name;
    internalIPs = [
      vars.ifs.lan.name
      vars.ifs.lan20.name
    ];
  };
  # https://wiki.nixos.org/wiki/Prometheus
  services.prometheus = {
    enable = true;
--- a/hosts/router/vars.nix
+++ b/hosts/router/vars.nix
@@ -95,28 +95,4 @@ rec {
      ulaPrefix_ = "${ulaPrefix}:0050";  # ::/64
    };
  };
  extra = {
    opnsense = rec {
      addr4 = "${ifs.lan.p4}.250";
      ulaAddr = "${ifs.lan.ulaPrefix}::250";
      p6 = "${pdFromWan}d";
      net6 = "${p6}::/64";
      # VPN routes on opnsense
      routes = [
        {
          Destination = "10.6.0.0/24";
          Gateway = addr4;
        }
        {
          Destination = "10.18.0.0/20";
          Gateway = addr4;
        }
        {
          Destination = net6;
          Gateway = ulaAddr;
        }
      ];
    };
  };
 }