From 73bfe6d1f7774910616fe73d77f335936604f7c9 Mon Sep 17 00:00:00 2001
From: Random936 <randomdude936@gmail.com>
Date: Mon, 10 Feb 2025 20:08:14 -0800
Subject: [PATCH] Added firewall rule for node exporters

---
 config/assets/suricata.yaml | 203 ++++++++++++++++++------------------
 config/headless.nix         |   2 +
 config/networking.nix       |   2 +-
 3 files changed, 104 insertions(+), 103 deletions(-)

diff --git a/config/assets/suricata.yaml b/config/assets/suricata.yaml
index dee2272..ff55092 100644
--- a/config/assets/suricata.yaml
+++ b/config/assets/suricata.yaml
@@ -1,109 +1,108 @@
-  %YAML 1.1
-  ---
+%YAML 1.1
+---
+vars:
+  address-groups:
+    HOME_NET: "[192.168.100.0/24]"
+    EXTERNAL_NET: "!$HOME_NET"
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
 
-  vars:
-    address-groups:
-      HOME_NET: "[192.168.100.0/24]"
-      EXTERNAL_NET: "!$HOME_NET"
-      HTTP_SERVERS: "$HOME_NET"
-      SMTP_SERVERS: "$HOME_NET"
-      SQL_SERVERS: "$HOME_NET"
-      DNS_SERVERS: "$HOME_NET"
-      TELNET_SERVERS: "$HOME_NET"
-      AIM_SERVERS: "$EXTERNAL_NET"
-      DC_SERVERS: "$HOME_NET"
-      DNP3_SERVER: "$HOME_NET"
-      DNP3_CLIENT: "$HOME_NET"
-      MODBUS_CLIENT: "$HOME_NET"
-      MODBUS_SERVER: "$HOME_NET"
-      ENIP_CLIENT: "$HOME_NET"
-      ENIP_SERVER: "$HOME_NET"
-    port-groups:
-      HTTP_PORTS: "80"
-      SHELLCODE_PORTS: "!80"
-      ORACLE_PORTS: 1521
-      SSH_PORTS: 22
-      DNP3_PORTS: 20000
-      MODBUS_PORTS: 502
-      FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
-      FTP_PORTS: 21
-      GENEVE_PORTS: 6081
-      VXLAN_PORTS: 4789
-      TEREDO_PORTS: 3544
-      SIP_PORTS: "[5060, 5061]"
+default-log-dir: /home/logging/logs
+classification-file: /etc/suricata/classification.config
+reference-config-file: /etc/suricata/reference.config
+default-rule-path: /etc/suricata/rules
+rule-files:
+  - suricata.rules
 
-  default-log-dir: /home/logging/logs
-  classification-file: /etc/suricata/classification.config
-  reference-config-file: /etc/suricata/reference.config
-  default-rule-path: /etc/suricata/rules
-  rule-files:
-    - suricata.rules
+stats:
+  enabled: yes
 
-  stats:
-    enabled: yes
+af-packet:
+  - interface: enp6s18
+    use-mmap: yes
+    tpacket-v3: yes
+    cluster-id: 99
+    cluster-type: cluster_flow
+    defrag: yes
 
-  af-packet:
-    - interface: enp6s18
-      use-mmap: yes
-      tpacket-v3: yes
-      cluster-id: 99
-      cluster-type: cluster_flow
-      defrag: yes
+outputs:
+  - fast:
+      enabled: yes
+      filename: fast.log
+      append: yes
 
-  outputs:
-    - fast:
-        enabled: yes
-        filename: fast.log
-        append: yes
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert:
+            tagged-packets: yes
+        - http:
+            extended: yes
+        - http2
+        - dns:
+            enabled: yes
+        - tls:
+            extended: yes
+        - flow
+        - mqtt
+        - ssh
+        - dhcp:
+            enabled: yes
+        - arp:
+            enabled: yes
+        - ldap
+        - quic
+        - sip
+        - rfb
+        - snmp
+        - bittorrent-dht
+        - krb5
+        - dcerpc
+        - ike
+        - tftp
+        - smb
+        - nfs
+        - rdp
+        - ftp
+        - websocket
+        - smtp
 
-    - eve-log:
-        enabled: yes
-        filetype: regular
-        filename: eve.json
-        types:
-          - alert:
-              tagged-packets: yes
-          - http:
-              extended: yes
-          - http2
-          - dns:
-              enabled: yes
-          - tls:
-              extended: yes
-          - flow
-          - mqtt
-          - ssh
-          - dhcp:
-              enabled: yes
-          - arp:
-              enabled: yes
-          - ldap
-          - quic
-          - sip
-          - rfb
-          - snmp
-          - bittorrent-dht
-          - krb5
-          - dcerpc
-          - ike
-          - tftp
-          - smb
-          - nfs
-          - rdp
-          - ftp
-          - websocket
-          - smtp
+  - pcap-log:
+      enabled: yes
+      filename: log.pcap
+      limit: 1gb
+      max-files: 20
 
-    - pcap-log:
-        enabled: yes
-        filename: log.pcap
-        limit: 1gb
-        max-files: 20
-
-    - stats:
-        enabled: yes
-        filename: stats.log
-        append: yes
-        totals: yes
-        threads: no
-          
+  - stats:
+      enabled: yes
+      filename: stats.log
+      append: yes
+      totals: yes
+      threads: no
+        
diff --git a/config/headless.nix b/config/headless.nix
index c6dfcfe..df09e03 100644
--- a/config/headless.nix
+++ b/config/headless.nix
@@ -14,6 +14,8 @@
       enable = true;
       port = 9002;
       enabledCollectors = [ "systemd" "processes" ];
+      openFirewall = true;
+      firewallFilter = "-s 192.168.100.41 -p tcp -m tcp --dport 9002";
   };
 
   system.stateVersion = "24.05";
diff --git a/config/networking.nix b/config/networking.nix
index b34c388..6520311 100644
--- a/config/networking.nix
+++ b/config/networking.nix
@@ -17,7 +17,7 @@ in {
   };
 
   networking.nameservers = [ gateway_ip ];
-  networking.firewall.allowedTCPPorts = open_ports ++ [9002];
+  networking.firewall.allowedTCPPorts = open_ports;
   networking.interfaces.enp6s18.ipv4.addresses = [
     {
       address = ip_address;