Security updates

2025-12-20 17:52:03 -07:00
parent 20fefd7813
commit 1bf4a88be0
4 changed files with 171 additions and 18 deletions
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -6,17 +6,48 @@ in
 {
  networking.hostName = settings.hostname;

-  networking.networkmanager.enable = true;
+  networking.networkmanager = {
+    enable = true;
+    wifi.scanRandMacAddress = true;
+  };

-  networking.firewall.enable = true;
+  networking.firewall = {
+    enable = true;
+    
+    # Allowed ports
+    allowedTCPPorts = [ 
+      # Sunshine
+      47984 47989 48010 
+    ];
+    allowedUDPPorts = [ 
+      # Sunshine
+      47998 47999 48000 48010 
+    ];

-  networking.firewall.allowedTCPPorts = [ 
-    # Sunshine
-    47984 47989 48010 
-  ];
+    # Firewall
+    logReversePathDrops = true;
+    logRefusedConnections = true;

-  networking.firewall.allowedUDPPorts = [ 
-    # Sunshine
-    47998 47999 48000 48010 
-  ];
+    # Connection tracking
+    connectionTrackingModules = [];
+    autoLoadConntrackHelpers = false;
+
+    extraCommands = ''
+      iptables -A INPUT -p tcp --syn -m connlimit --connlimit-above 50 -j DROP
+      iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
+      iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
+    '';
+    extraStopCommands = ''
+      iptables -D INPUT -p tcp --syn -m connlimit --connlimit-above 50 -j DROP 2>/dev/null || true
+      iptables -D INPUT -p tcp --dport 22 -m state --state NEW -m recent --set 2>/dev/null || true
+      iptables -D INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP 2>/dev/null || true
+    '';
+  };
+
+  networking.nameservers = [ "1.1.1.1" "9.9.9.9" ];
+  services.resolved = {
+    enable = true;
+    dnsovertls = "opportunistic";
+    fallbackDns = [ "1.0.0.1" "149.112.112.112" ];
+  };
 }