jolheiser/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6a5a5728ee
nixpkgs/nixos/modules/services/networking/firewall.nix

548 lines
18 KiB
Nix
Raw Normal View History

* Put the NixOS firewall ruleset in its own chain (‘nixos-fw’). This should make it easier to compose with packages that set their own firewall rules, such as Nova or Libvirt. * Provide a chain for accepted packets (‘nixos-fw-accept’), requested by Nicolas Pierron. svn path=/nixos/trunk/; revision=27607
2011-07-05 12:51:46 +00:00
/* This module enables a simple firewall.
The firewall can be customised in arbitrary ways by setting
networking.firewall.extraCommands. For modularity, the firewall
uses several chains:
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
- nixos-fw is the main chain for input packet processing.
- nixos-fw-accept is called for accepted packets. If you want
additional logging, or want to reject certain packets anyway, you
can insert rules at the start of this chain.
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285
2011-09-14 18:20:50 +00:00
* Put the NixOS firewall ruleset in its own chain (‘nixos-fw’). This should make it easier to compose with packages that set their own firewall rules, such as Nova or Libvirt. * Provide a chain for accepted packets (‘nixos-fw-accept’), requested by Nicolas Pierron. svn path=/nixos/trunk/; revision=27607
2011-07-05 12:51:46 +00:00
- nixos-fw-log-refuse and nixos-fw-refuse are called for
refused packets. (The former jumps to the latter after logging
the packet.) If you want additional logging, or want to accept
certain packets anyway, you can insert rules at the start of
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
this chain.
* Put the NixOS firewall ruleset in its own chain (‘nixos-fw’). This should make it easier to compose with packages that set their own firewall rules, such as Nova or Libvirt. * Provide a chain for accepted packets (‘nixos-fw-accept’), requested by Nicolas Pierron. svn path=/nixos/trunk/; revision=27607
2011-07-05 12:51:46 +00:00
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
- nixos-fw-rpfilter is used as the main chain in the raw table,
called from the built-in PREROUTING chain. If the kernel
supports it and `cfg.checkReversePath` is set this chain will
perform a reverse path filter test.
- nixos-drop is used while reloading the firewall in order to drop
all traffic. Since reloading isn't implemented in an atomic way
this'll prevent any traffic from leaking through while reloading
the firewall. However, if the reloading fails, the firewall-stop
script will be called which in return will effectively disable the
complete firewall (in the default configuration).
* Put the NixOS firewall ruleset in its own chain (‘nixos-fw’). This should make it easier to compose with packages that set their own firewall rules, such as Nova or Libvirt. * Provide a chain for accepted packets (‘nixos-fw-accept’), requested by Nicolas Pierron. svn path=/nixos/trunk/; revision=27607
2011-07-05 12:51:46 +00:00
*/
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285
2011-09-14 18:20:50 +00:00
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem.
2014-04-14 14:26:48 +00:00
{ config, lib, pkgs, ... }:
* Firewall: by default, only log rejected TCP connections. Otherwise you get a lot of garbage in the log. Also, an option to reject instead of drop packets. svn path=/nixos/trunk/; revision=17505
2009-09-29 14:21:56 +00:00
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem.
2014-04-14 14:26:48 +00:00
with lib;
* A very basic firewall that rejects all incoming connections except for the ports defined in networking.firewall.allowedTCPPorts. svn path=/nixos/branches/modular-nixos/; revision=16460
2009-07-24 23:12:52 +00:00
let
* Firewall: by default, only log rejected TCP connections. Otherwise you get a lot of garbage in the log. Also, an option to reject instead of drop packets. svn path=/nixos/trunk/; revision=17505
2009-09-29 14:21:56 +00:00
cfg = config.networking.firewall;
firewall: Fix check for rpfilter on manual-config kernels
2017-02-06 21:43:23 +00:00
inherit (config.boot.kernelPackages) kernel;
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
firewall: Fix check for rpfilter on manual-config kernels
2017-02-06 21:43:23 +00:00
kernelHasRPFilter = ((kernel.config.isEnabled or (x: false)) "IP_NF_MATCH_RPFILTER") || (kernel.features.netfilterRPFilter or false);
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
* Put the NixOS firewall ruleset in its own chain (‘nixos-fw’). This should make it easier to compose with packages that set their own firewall rules, such as Nova or Libvirt. * Provide a chain for accepted packets (‘nixos-fw-accept’), requested by Nicolas Pierron. svn path=/nixos/trunk/; revision=27607
2011-07-05 12:51:46 +00:00
helpers =
''
# Helper command to manipulate both the IPv4 and IPv6 tables.
ip46tables() {
Use iptables' ‘-w’ flag This prevents errors like "Another app is currently holding the xtables lock" if the firewall and NAT services are starting in parallel. (Longer term, we should probably move to a single service for managing the iptables rules.)
2014-04-11 14:29:45 +00:00
iptables -w "$@"
firewall.nix: Respect networking.enableIPv6 = false Reported-by: Pablo Costa <modulistic@gmail.com>
2012-09-18 21:20:46 +00:00
${optionalString config.networking.enableIPv6 ''
Use iptables' ‘-w’ flag This prevents errors like "Another app is currently holding the xtables lock" if the firewall and NAT services are starting in parallel. (Longer term, we should probably move to a single service for managing the iptables rules.)
2014-04-11 14:29:45 +00:00
ip6tables -w "$@"
firewall.nix: Respect networking.enableIPv6 = false Reported-by: Pablo Costa <modulistic@gmail.com>
2012-09-18 21:20:46 +00:00
''}
* Put the NixOS firewall ruleset in its own chain (‘nixos-fw’). This should make it easier to compose with packages that set their own firewall rules, such as Nova or Libvirt. * Provide a chain for accepted packets (‘nixos-fw-accept’), requested by Nicolas Pierron. svn path=/nixos/trunk/; revision=27607
2011-07-05 12:51:46 +00:00
}
'';
nixos/firewall: Cleanup in case reload fails
2014-09-16 08:15:10 +00:00
writeShScript = name: text: let dir = pkgs.writeScriptBin name ''
#! ${pkgs.stdenv.shell} -e
${text}
''; in "${dir}/bin/${name}";
startScript = writeShScript "firewall-start" ''
${helpers}
# Flush the old firewall rules. !!! Ideally, updating the
# firewall would be atomic. Apparently that's possible
# with iptables-restore.
ip46tables -D INPUT -j nixos-fw 2> /dev/null || true
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
for chain in nixos-fw nixos-fw-accept nixos-fw-log-refuse nixos-fw-refuse; do
nixos/firewall: Cleanup in case reload fails
2014-09-16 08:15:10 +00:00
ip46tables -F "$chain" 2> /dev/null || true
ip46tables -X "$chain" 2> /dev/null || true
done
# The "nixos-fw-accept" chain just accepts packets.
ip46tables -N nixos-fw-accept
ip46tables -A nixos-fw-accept -j ACCEPT
# The "nixos-fw-refuse" chain rejects or drops packets.
ip46tables -N nixos-fw-refuse
${if cfg.rejectPackets then ''
# Send a reset for existing TCP connections that we've
# somehow forgotten about. Send ICMP "port unreachable"
# for everything else.
ip46tables -A nixos-fw-refuse -p tcp ! --syn -j REJECT --reject-with tcp-reset
ip46tables -A nixos-fw-refuse -j REJECT
'' else ''
ip46tables -A nixos-fw-refuse -j DROP
''}
# The "nixos-fw-log-refuse" chain performs logging, then
# jumps to the "nixos-fw-refuse" chain.
ip46tables -N nixos-fw-log-refuse
${optionalString cfg.logRefusedConnections ''
ip46tables -A nixos-fw-log-refuse -p tcp --syn -j LOG --log-level info --log-prefix "rejected connection: "
''}
${optionalString (cfg.logRefusedPackets && !cfg.logRefusedUnicastsOnly) ''
ip46tables -A nixos-fw-log-refuse -m pkttype --pkt-type broadcast \
-j LOG --log-level info --log-prefix "rejected broadcast: "
ip46tables -A nixos-fw-log-refuse -m pkttype --pkt-type multicast \
-j LOG --log-level info --log-prefix "rejected multicast: "
''}
ip46tables -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse
${optionalString cfg.logRefusedPackets ''
ip46tables -A nixos-fw-log-refuse \
-j LOG --log-level info --log-prefix "rejected packet: "
''}
ip46tables -A nixos-fw-log-refuse -j nixos-fw-refuse
# The "nixos-fw" chain does the actual work.
ip46tables -N nixos-fw
# Perform a reverse-path test to refuse spoofers
# For now, we just drop, as the raw table doesn't have a log-refuse yet
firewall service: add support for loose reverse path filter check (#19122)
2016-10-08 12:26:52 +00:00
${optionalString (kernelHasRPFilter && (cfg.checkReversePath != false)) ''
nixos/firewall: Refactor rpfilter, allow DHCPv4 (#17325) Adds a new chain in the raw table for reverse path filtering and optional logging. A rule to allow serving DHCPv4 was also added as it is commonly needed and poses no security risk even when no DHCPv4 server is running. Fixes #10101.
2016-07-31 11:49:24 +00:00
# Clean up rpfilter rules
ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2> /dev/null || true
ip46tables -t raw -F nixos-fw-rpfilter 2> /dev/null || true
ip46tables -t raw -N nixos-fw-rpfilter 2> /dev/null || true
firewall service: add support for loose reverse path filter check (#19122)
2016-10-08 12:26:52 +00:00
ip46tables -t raw -A nixos-fw-rpfilter -m rpfilter ${optionalString (cfg.checkReversePath == "loose") "--loose"} -j RETURN
nixos/firewall: Refactor rpfilter, allow DHCPv4 (#17325) Adds a new chain in the raw table for reverse path filtering and optional logging. A rule to allow serving DHCPv4 was also added as it is commonly needed and poses no security risk even when no DHCPv4 server is running. Fixes #10101.
2016-07-31 11:49:24 +00:00
# Allows this host to act as a DHCPv4 server
iptables -t raw -A nixos-fw-rpfilter -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j RETURN
${optionalString cfg.logReversePathDrops ''
ip46tables -t raw -A nixos-fw-rpfilter -j LOG --log-level info --log-prefix "rpfilter drop: "
''}
ip46tables -t raw -A nixos-fw-rpfilter -j DROP
ip46tables -t raw -A PREROUTING -j nixos-fw-rpfilter
nixos/firewall: Cleanup in case reload fails
2014-09-16 08:15:10 +00:00
''}
# Accept all traffic on the trusted interfaces.
${flip concatMapStrings cfg.trustedInterfaces (iface: ''
ip46tables -A nixos-fw -i ${iface} -j nixos-fw-accept
'')}
# Accept packets from established or related connections.
ip46tables -A nixos-fw -m conntrack --ctstate ESTABLISHED,RELATED -j nixos-fw-accept
# Accept connections to the allowed TCP ports.
${concatMapStrings (port:
''
ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept
''
) cfg.allowedTCPPorts
}
# Accept connections to the allowed TCP port ranges.
${concatMapStrings (rangeAttr:
let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in
''
ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept
''
) cfg.allowedTCPPortRanges
}
# Accept packets on the allowed UDP ports.
${concatMapStrings (port:
''
ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept
''
) cfg.allowedUDPPorts
}
# Accept packets on the allowed UDP port ranges.
${concatMapStrings (rangeAttr:
let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in
''
ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept
''
) cfg.allowedUDPPortRanges
}
# Accept IPv4 multicast. Not a big security risk since
# probably nobody is listening anyway.
#iptables -A nixos-fw -d 224.0.0.0/4 -j nixos-fw-accept
# Optionally respond to ICMPv4 pings.
${optionalString cfg.allowPing ''
iptables -w -A nixos-fw -p icmp --icmp-type echo-request ${optionalString (cfg.pingLimit != null)
"-m limit ${cfg.pingLimit} "
}-j nixos-fw-accept
''}
${optionalString config.networking.enableIPv6 ''
firewall service: allow DHCPv6 client traffic
2017-01-14 16:01:19 +00:00
# Accept all ICMPv6 messages except redirects and node
# information queries (type 139). See RFC 4890, section
# 4.4.
nixos/firewall: Cleanup in case reload fails
2014-09-16 08:15:10 +00:00
ip6tables -A nixos-fw -p icmpv6 --icmpv6-type redirect -j DROP
ip6tables -A nixos-fw -p icmpv6 --icmpv6-type 139 -j DROP
ip6tables -A nixos-fw -p icmpv6 -j nixos-fw-accept
firewall service: allow DHCPv6 client traffic
2017-01-14 16:01:19 +00:00
# Allow this host to act as a DHCPv6 client
ip6tables -A nixos-fw -d fe80::/64 -p udp --dport 546 -j nixos-fw-accept
nixos/firewall: Cleanup in case reload fails
2014-09-16 08:15:10 +00:00
''}
${cfg.extraCommands}
# Reject/drop everything else.
ip46tables -A nixos-fw -j nixos-fw-log-refuse
# Enable the firewall.
ip46tables -A INPUT -j nixos-fw
'';
stopScript = writeShScript "firewall-stop" ''
${helpers}
# Clean up in case reload fails
ip46tables -D INPUT -j nixos-drop 2>/dev/null || true
# Clean up after added ruleset
ip46tables -D INPUT -j nixos-fw 2>/dev/null || true
firewall service: add support for loose reverse path filter check (#19122)
2016-10-08 12:26:52 +00:00
${optionalString (kernelHasRPFilter && (cfg.checkReversePath != false)) ''
nixos/firewall: Refactor rpfilter, allow DHCPv4 (#17325) Adds a new chain in the raw table for reverse path filtering and optional logging. A rule to allow serving DHCPv4 was also added as it is commonly needed and poses no security risk even when no DHCPv4 server is running. Fixes #10101.
2016-07-31 11:49:24 +00:00
ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2>/dev/null || true
firewall: clear rpfilter on stop
2014-11-14 07:07:18 +00:00
''}
nixos/firewall: Cleanup in case reload fails
2014-09-16 08:15:10 +00:00
${cfg.extraStopCommands}
'';
reloadScript = writeShScript "firewall-reload" ''
${helpers}
# Create a unique drop rule
ip46tables -D INPUT -j nixos-drop 2>/dev/null || true
ip46tables -F nixos-drop 2>/dev/null || true
ip46tables -X nixos-drop 2>/dev/null || true
ip46tables -N nixos-drop
ip46tables -A nixos-drop -j DROP
# Don't allow traffic to leak out until the script has completed
ip46tables -A INPUT -j nixos-drop
if ${startScript}; then
ip46tables -D INPUT -j nixos-drop 2>/dev/null || true
else
echo "Failed to reload firewall... Stopping"
${stopScript}
exit 1
fi
'';
* A very basic firewall that rejects all incoming connections except for the ports defined in networking.firewall.allowedTCPPorts. svn path=/nixos/branches/modular-nixos/; revision=16460
2009-07-24 23:12:52 +00:00
in
{
###### interface
options = {
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285
2011-09-14 18:20:50 +00:00
* Firewall: by default, only log rejected TCP connections. Otherwise you get a lot of garbage in the log. Also, an option to reject instead of drop packets. svn path=/nixos/trunk/; revision=17505
2009-09-29 14:21:56 +00:00
networking.firewall.enable = mkOption {
Add lots of missing option types
2013-10-30 16:37:45 +00:00
type = types.bool;
Enable the firewall by default Fixes #2135.
2014-04-08 07:42:05 +00:00
default = true;
* Add an option to enable the firewall. It should eventually be enabled by default. svn path=/nixos/branches/modular-nixos/; revision=16464
2009-07-26 21:27:35 +00:00
description =
''
* Cleanup. svn path=/nixos/trunk/; revision=26244
2011-03-10 09:39:17 +00:00
Whether to enable the firewall. This is a simple stateful
firewall that blocks connection attempts to unauthorised TCP
or UDP ports on this machine. It does not affect packet
forwarding.
* Add an option to enable the firewall. It should eventually be enabled by default. svn path=/nixos/branches/modular-nixos/; revision=16464
2009-07-26 21:27:35 +00:00
'';
};
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285
2011-09-14 18:20:50 +00:00
* Firewall: by default, only log rejected TCP connections. Otherwise you get a lot of garbage in the log. Also, an option to reject instead of drop packets. svn path=/nixos/trunk/; revision=17505
2009-09-29 14:21:56 +00:00
networking.firewall.logRefusedConnections = mkOption {
Add lots of missing option types
2013-10-30 16:37:45 +00:00
type = types.bool;
* Firewall: by default, only log rejected TCP connections. Otherwise you get a lot of garbage in the log. Also, an option to reject instead of drop packets. svn path=/nixos/trunk/; revision=17505
2009-09-29 14:21:56 +00:00
default = true;
description =
''
Whether to log rejected or dropped incoming connections.
'';
};
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285
2011-09-14 18:20:50 +00:00
* Firewall: by default, only log rejected TCP connections. Otherwise you get a lot of garbage in the log. Also, an option to reject instead of drop packets. svn path=/nixos/trunk/; revision=17505
2009-09-29 14:21:56 +00:00
networking.firewall.logRefusedPackets = mkOption {
Add lots of missing option types
2013-10-30 16:37:45 +00:00
type = types.bool;
* Oops. svn path=/nixos/trunk/; revision=27608
2011-07-05 12:54:50 +00:00
default = false;
* Firewall: by default, only log rejected TCP connections. Otherwise you get a lot of garbage in the log. Also, an option to reject instead of drop packets. svn path=/nixos/trunk/; revision=17505
2009-09-29 14:21:56 +00:00
description =
''
Whether to log all rejected or dropped incoming packets.
This tends to give a lot of log messages, so it's mostly
useful for debugging.
'';
};
* Put the NixOS firewall ruleset in its own chain (‘nixos-fw’). This should make it easier to compose with packages that set their own firewall rules, such as Nova or Libvirt. * Provide a chain for accepted packets (‘nixos-fw-accept’), requested by Nicolas Pierron. svn path=/nixos/trunk/; revision=27607
2011-07-05 12:51:46 +00:00
networking.firewall.logRefusedUnicastsOnly = mkOption {
Add lots of missing option types
2013-10-30 16:37:45 +00:00
type = types.bool;
* Put the NixOS firewall ruleset in its own chain (‘nixos-fw’). This should make it easier to compose with packages that set their own firewall rules, such as Nova or Libvirt. * Provide a chain for accepted packets (‘nixos-fw-accept’), requested by Nicolas Pierron. svn path=/nixos/trunk/; revision=27607
2011-07-05 12:51:46 +00:00
default = true;
description =
''
If <option>networking.firewall.logRefusedPackets</option>
and this option are enabled, then only log packets
specifically directed at this machine, i.e., not broadcasts
or multicasts.
'';
};
* Firewall: by default, only log rejected TCP connections. Otherwise you get a lot of garbage in the log. Also, an option to reject instead of drop packets. svn path=/nixos/trunk/; revision=17505
2009-09-29 14:21:56 +00:00
networking.firewall.rejectPackets = mkOption {
Add lots of missing option types
2013-10-30 16:37:45 +00:00
type = types.bool;
* Firewall: by default, only log rejected TCP connections. Otherwise you get a lot of garbage in the log. Also, an option to reject instead of drop packets. svn path=/nixos/trunk/; revision=17505
2009-09-29 14:21:56 +00:00
default = false;
description =
''
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
If set, refused packets are rejected rather than dropped
Fix typos, especially those that end up in the NixOS manual
2013-08-10 21:07:13 +00:00
(ignored). This means that an ICMP "port unreachable" error
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
message is sent back to the client (or a TCP RST packet in
case of an existing connection). Rejecting packets makes
* Firewall: by default, only log rejected TCP connections. Otherwise you get a lot of garbage in the log. Also, an option to reject instead of drop packets. svn path=/nixos/trunk/; revision=17505
2009-09-29 14:21:56 +00:00
port scanning somewhat easier.
'';
};
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285
2011-09-14 18:20:50 +00:00
firewall.nix: Allow specifying trusted network interfaces Trusted network interfaces (such as "lo") will accept any incoming traffic.
2012-09-20 21:51:44 +00:00
networking.firewall.trustedInterfaces = mkOption {
Some more type cleanup
2015-06-15 16:18:46 +00:00
type = types.listOf types.str;
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
default = [ ];
example = [ "enp0s2" ];
firewall.nix: Allow specifying trusted network interfaces Trusted network interfaces (such as "lo") will accept any incoming traffic.
2012-09-20 21:51:44 +00:00
description =
''
Traffic coming in from these interfaces will be accepted
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
unconditionally. Traffic from the loopback (lo) interface
will always be accepted.
firewall.nix: Allow specifying trusted network interfaces Trusted network interfaces (such as "lo") will accept any incoming traffic.
2012-09-20 21:51:44 +00:00
'';
};
* Firewall: by default, only log rejected TCP connections. Otherwise you get a lot of garbage in the log. Also, an option to reject instead of drop packets. svn path=/nixos/trunk/; revision=17505
2009-09-29 14:21:56 +00:00
networking.firewall.allowedTCPPorts = mkOption {
replace list by listOf using same style as for attrsOf
2013-03-14 16:09:21 +00:00
type = types.listOf types.int;
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
default = [ ];
example = [ 22 80 ];
* A very basic firewall that rejects all incoming connections except for the ports defined in networking.firewall.allowedTCPPorts. svn path=/nixos/branches/modular-nixos/; revision=16460
2009-07-24 23:12:52 +00:00
description =
''
List of TCP ports on which incoming connections are
accepted.
'';
};
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285
2011-09-14 18:20:50 +00:00
firewall: add support for TCP/UDP port ranges This is useful for packages like mosh, which use a wide UDP port range by default for incoming connections. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-02-19 11:19:19 +00:00
networking.firewall.allowedTCPPortRanges = mkOption {
type = types.listOf (types.attrsOf types.int);
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
default = [ ];
example = [ { from = 8999; to = 9003; } ];
firewall: add support for TCP/UDP port ranges This is useful for packages like mosh, which use a wide UDP port range by default for incoming connections. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-02-19 11:19:19 +00:00
description =
''
A range of TCP ports on which incoming connections are
accepted.
'';
};
* Add an option for opening UDP ports. * Accept packets destined for link-local addresses (fe80::/10). svn path=/nixos/trunk/; revision=26236
2011-03-09 16:37:16 +00:00
networking.firewall.allowedUDPPorts = mkOption {
replace list by listOf using same style as for attrsOf
2013-03-14 16:09:21 +00:00
type = types.listOf types.int;
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
default = [ ];
example = [ 53 ];
* Add an option for opening UDP ports. * Accept packets destined for link-local addresses (fe80::/10). svn path=/nixos/trunk/; revision=26236
2011-03-09 16:37:16 +00:00
description =
''
List of open UDP ports.
'';
};
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285
2011-09-14 18:20:50 +00:00
firewall: add support for TCP/UDP port ranges This is useful for packages like mosh, which use a wide UDP port range by default for incoming connections. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-02-19 11:19:19 +00:00
networking.firewall.allowedUDPPortRanges = mkOption {
type = types.listOf (types.attrsOf types.int);
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
default = [ ];
example = [ { from = 60000; to = 61000; } ];
firewall: add support for TCP/UDP port ranges This is useful for packages like mosh, which use a wide UDP port range by default for incoming connections. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-02-19 11:19:19 +00:00
description =
''
Range of open UDP ports.
'';
};
* Add a firewall option to allow pings. (Maybe this should be enabled by default.) svn path=/nixos/trunk/; revision=26233
2011-03-09 15:28:47 +00:00
networking.firewall.allowPing = mkOption {
type = types.bool;
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
default = true;
* Add a firewall option to allow pings. (Maybe this should be enabled by default.) svn path=/nixos/trunk/; revision=26233
2011-03-09 15:28:47 +00:00
description =
''
* RFC 4890 says that local nodes should not filter pretty much any ICMPv6 messages (including echo requests), so don't do that. svn path=/nixos/trunk/; revision=26270
2011-03-11 11:08:16 +00:00
Whether to respond to incoming ICMPv4 echo requests
("pings"). ICMPv6 pings are always allowed because the
larger address space of IPv6 makes network scanning much
less effective.
* Add a firewall option to allow pings. (Maybe this should be enabled by default.) svn path=/nixos/trunk/; revision=26233
2011-03-09 15:28:47 +00:00
'';
};
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285
2011-09-14 18:20:50 +00:00
firewall: Allow setting rate limits for pings
2014-03-14 18:55:30 +00:00
networking.firewall.pingLimit = mkOption {
type = types.nullOr (types.separatedString " ");
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
default = null;
example = "--limit 1/minute --limit-burst 5";
firewall: Allow setting rate limits for pings
2014-03-14 18:55:30 +00:00
description =
''
If pings are allowed, this allows setting rate limits
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
on them. If non-null, this option should be in the form of
flags like "--limit 1/minute --limit-burst 5"
firewall: Allow setting rate limits for pings
2014-03-14 18:55:30 +00:00
'';
};
firewall: option to enable the rpfilter netfilter module This is meant to replace /proc/sys/net/ipv4/conf/*/rp_filter, which only works for ipv4. Furthermore, it's nicer to handle this kind of filtering in the firewall. There are some more subtle differences, please see: https://home.regit.org/netfilter-en/secure-use-of-helpers/ I chose to enable this by default (when the firewall is enabled) as it's a good idea in general. Only people with advanced routing needs might not want this, but I guess they don't use the nixos firewall anyway and use a custom solution. Furthermore, the option only becomes available in kernel 3.3+, so conservative nixos users that just stick to the default kernel will not need to act now just yet.
2012-10-12 11:09:19 +00:00
networking.firewall.checkReversePath = mkOption {
firewall service: add support for loose reverse path filter check (#19122)
2016-10-08 12:26:52 +00:00
type = types.either types.bool (types.enum ["strict" "loose"]);
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
default = kernelHasRPFilter;
example = "loose";
firewall: option to enable the rpfilter netfilter module This is meant to replace /proc/sys/net/ipv4/conf/*/rp_filter, which only works for ipv4. Furthermore, it's nicer to handle this kind of filtering in the firewall. There are some more subtle differences, please see: https://home.regit.org/netfilter-en/secure-use-of-helpers/ I chose to enable this by default (when the firewall is enabled) as it's a good idea in general. Only people with advanced routing needs might not want this, but I guess they don't use the nixos firewall anyway and use a custom solution. Furthermore, the option only becomes available in kernel 3.3+, so conservative nixos users that just stick to the default kernel will not need to act now just yet.
2012-10-12 11:09:19 +00:00
description =
''
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
Performs a reverse path filter test on a packet. If a reply
to the packet would not be sent via the same interface that
the packet arrived on, it is refused.
If using asymmetric routing or other complicated routing, set
this option to loose mode or disable it and setup your own
counter-measures.
firewall: option to enable the rpfilter netfilter module This is meant to replace /proc/sys/net/ipv4/conf/*/rp_filter, which only works for ipv4. Furthermore, it's nicer to handle this kind of filtering in the firewall. There are some more subtle differences, please see: https://home.regit.org/netfilter-en/secure-use-of-helpers/ I chose to enable this by default (when the firewall is enabled) as it's a good idea in general. Only people with advanced routing needs might not want this, but I guess they don't use the nixos firewall anyway and use a custom solution. Furthermore, the option only becomes available in kernel 3.3+, so conservative nixos users that just stick to the default kernel will not need to act now just yet.
2012-10-12 11:09:19 +00:00
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
This option can be either true (or "strict"), "loose" (only
drop the packet if the source address is not reachable via any
interface) or false. Defaults to the value of
kernelHasRPFilter.
firewall: option to enable the rpfilter netfilter module This is meant to replace /proc/sys/net/ipv4/conf/*/rp_filter, which only works for ipv4. Furthermore, it's nicer to handle this kind of filtering in the firewall. There are some more subtle differences, please see: https://home.regit.org/netfilter-en/secure-use-of-helpers/ I chose to enable this by default (when the firewall is enabled) as it's a good idea in general. Only people with advanced routing needs might not want this, but I guess they don't use the nixos firewall anyway and use a custom solution. Furthermore, the option only becomes available in kernel 3.3+, so conservative nixos users that just stick to the default kernel will not need to act now just yet.
2012-10-12 11:09:19 +00:00
(needs kernel 3.3+)
'';
};
nixos/firewall: Refactor rpfilter, allow DHCPv4 (#17325) Adds a new chain in the raw table for reverse path filtering and optional logging. A rule to allow serving DHCPv4 was also added as it is commonly needed and poses no security risk even when no DHCPv4 server is running. Fixes #10101.
2016-07-31 11:49:24 +00:00
networking.firewall.logReversePathDrops = mkOption {
type = types.bool;
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
default = false;
nixos/firewall: Refactor rpfilter, allow DHCPv4 (#17325) Adds a new chain in the raw table for reverse path filtering and optional logging. A rule to allow serving DHCPv4 was also added as it is commonly needed and poses no security risk even when no DHCPv4 server is running. Fixes #10101.
2016-07-31 11:49:24 +00:00
description =
''
Logs dropped packets failing the reverse path filter test if
the option networking.firewall.checkReversePath is enabled.
'';
};
firewall: options to select connection-tracking helpers My main reason for adding this is the ability to turn off helpers altogether. If you are not using any of the special protocols, keeping them turned off is safest, and in case you do want to use them, it's best to configure them through the new CT target for your network topology. Perhaps some sane defaults for nixos can be examined in the future. This change has no impact if you don't touch the added options, so no need to adapt.
2012-10-12 11:16:33 +00:00
networking.firewall.connectionTrackingModules = mkOption {
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
type = types.listOf types.str;
firewall: disable conntrack helper autoloading by default This was disabled in the Linux kernel since 4.7 and poses a security risk if not configured properly. https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=486dcf43da7815baa615822f3e46883ccca5400f
2017-01-22 16:29:38 +00:00
default = [ ];
firewall: options to select connection-tracking helpers My main reason for adding this is the ability to turn off helpers altogether. If you are not using any of the special protocols, keeping them turned off is safest, and in case you do want to use them, it's best to configure them through the new CT target for your network topology. Perhaps some sane defaults for nixos can be examined in the future. This change has no impact if you don't touch the added options, so no need to adapt.
2012-10-12 11:16:33 +00:00
example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ];
description =
''
List of connection-tracking helpers that are auto-loaded.
The complete list of possible values is given in the example.
Fix typos, especially those that end up in the NixOS manual
2013-08-10 21:07:13 +00:00
As helpers can pose as a security risk, it is advised to
firewall: options to select connection-tracking helpers My main reason for adding this is the ability to turn off helpers altogether. If you are not using any of the special protocols, keeping them turned off is safest, and in case you do want to use them, it's best to configure them through the new CT target for your network topology. Perhaps some sane defaults for nixos can be examined in the future. This change has no impact if you don't touch the added options, so no need to adapt.
2012-10-12 11:16:33 +00:00
set this to an empty list and disable the setting
firewall: disable conntrack helper autoloading by default This was disabled in the Linux kernel since 4.7 and poses a security risk if not configured properly. https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=486dcf43da7815baa615822f3e46883ccca5400f
2017-01-22 16:29:38 +00:00
networking.firewall.autoLoadConntrackHelpers unless you
know what you are doing. Connection tracking is disabled
by default.
firewall: options to select connection-tracking helpers My main reason for adding this is the ability to turn off helpers altogether. If you are not using any of the special protocols, keeping them turned off is safest, and in case you do want to use them, it's best to configure them through the new CT target for your network topology. Perhaps some sane defaults for nixos can be examined in the future. This change has no impact if you don't touch the added options, so no need to adapt.
2012-10-12 11:16:33 +00:00
firewall: disable conntrack helper autoloading by default This was disabled in the Linux kernel since 4.7 and poses a security risk if not configured properly. https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=486dcf43da7815baa615822f3e46883ccca5400f
2017-01-22 16:29:38 +00:00
Loading of helpers is recommended to be done through the
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
CT target. More info:
firewall: options to select connection-tracking helpers My main reason for adding this is the ability to turn off helpers altogether. If you are not using any of the special protocols, keeping them turned off is safest, and in case you do want to use them, it's best to configure them through the new CT target for your network topology. Perhaps some sane defaults for nixos can be examined in the future. This change has no impact if you don't touch the added options, so no need to adapt.
2012-10-12 11:16:33 +00:00
https://home.regit.org/netfilter-en/secure-use-of-helpers/
'';
};
networking.firewall.autoLoadConntrackHelpers = mkOption {
type = types.bool;
firewall: disable conntrack helper autoloading by default This was disabled in the Linux kernel since 4.7 and poses a security risk if not configured properly. https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=486dcf43da7815baa615822f3e46883ccca5400f
2017-01-22 16:29:38 +00:00
default = false;
firewall: options to select connection-tracking helpers My main reason for adding this is the ability to turn off helpers altogether. If you are not using any of the special protocols, keeping them turned off is safest, and in case you do want to use them, it's best to configure them through the new CT target for your network topology. Perhaps some sane defaults for nixos can be examined in the future. This change has no impact if you don't touch the added options, so no need to adapt.
2012-10-12 11:16:33 +00:00
description =
''
Whether to auto-load connection-tracking helpers.
See the description at networking.firewall.connectionTrackingModules
(needs kernel 3.5+)
'';
};
* Firewall: add an option to allow extra firewall rules to be added. * Firewall: change the policy of the INPUT chain back to ACCEPT to prevent a lockup when the Nix store is mounted over the network (i.e. in our VM tests). This is because as soon as the policy is set to DROP, the iptables modules that enable access to the network filesystem cannot be acccessed anymore. svn path=/nixos/trunk/; revision=26274
2011-03-11 13:04:17 +00:00
networking.firewall.extraCommands = mkOption {
Add lots of missing option types
2013-10-30 16:37:45 +00:00
type = types.lines;
* Firewall: add an option to allow extra firewall rules to be added. * Firewall: change the policy of the INPUT chain back to ACCEPT to prevent a lockup when the Nix store is mounted over the network (i.e. in our VM tests). This is because as soon as the policy is set to DROP, the iptables modules that enable access to the network filesystem cannot be acccessed anymore. svn path=/nixos/trunk/; revision=26274
2011-03-11 13:04:17 +00:00
default = "";
example = "iptables -A INPUT -p icmp -j ACCEPT";
description =
''
Additional shell commands executed as part of the firewall
initialisation script. These are executed just before the
final "reject" firewall rule is added, so they can be used
to allow packets that would otherwise be refused.
'';
};
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285
2011-09-14 18:20:50 +00:00
nixos/firewall: Add the ability to specify additional packages for extraCommands
2015-07-26 23:32:59 +00:00
networking.firewall.extraPackages = mkOption {
Add missing 'type', 'defaultText' and 'literalExample' in module definitions - add missing types in module definitions - add missing 'defaultText' in module definitions - wrap example with 'literalExample' where necessary in module definitions
2016-01-17 18:34:55 +00:00
type = types.listOf types.package;
nixos/firewall: Add the ability to specify additional packages for extraCommands
2015-07-26 23:32:59 +00:00
default = [ ];
Add missing 'type', 'defaultText' and 'literalExample' in module definitions - add missing types in module definitions - add missing 'defaultText' in module definitions - wrap example with 'literalExample' where necessary in module definitions
2016-01-17 18:34:55 +00:00
example = literalExample "[ pkgs.ipset ]";
nixos/firewall: Add the ability to specify additional packages for extraCommands
2015-07-26 23:32:59 +00:00
description =
''
Additional packages to be included in the environment of the system
as well as the path of networking.firewall.extraCommands.
'';
};
nixos/firewall: Support extraStopCommands
2014-09-16 04:29:46 +00:00
networking.firewall.extraStopCommands = mkOption {
type = types.lines;
default = "";
example = "iptables -P INPUT ACCEPT";
description =
''
Additional shell commands executed as part of the firewall
shutdown script. These are executed just after the removal
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
of the NixOS input rule, or if the service enters a failed
state.
nixos/firewall: Support extraStopCommands
2014-09-16 04:29:46 +00:00
'';
};
* A very basic firewall that rejects all incoming connections except for the ports defined in networking.firewall.allowedTCPPorts. svn path=/nixos/branches/modular-nixos/; revision=16460
2009-07-24 23:12:52 +00:00
};
###### implementation
* Add an option to enable the firewall. It should eventually be enabled by default. svn path=/nixos/branches/modular-nixos/; revision=16464
2009-07-26 21:27:35 +00:00
Remove remaining references to Upstart
2013-10-31 12:26:06 +00:00
# FIXME: Maybe if `enable' is false, the firewall should still be
# built but not started by default?
* Cleanup. svn path=/nixos/trunk/; revision=26244
2011-03-10 09:39:17 +00:00
config = mkIf cfg.enable {
* A very basic firewall that rejects all incoming connections except for the ports defined in networking.firewall.allowedTCPPorts. svn path=/nixos/branches/modular-nixos/; revision=16460
2009-07-24 23:12:52 +00:00
firewall.nix: Allow specifying trusted network interfaces Trusted network interfaces (such as "lo") will accept any incoming traffic.
2012-09-20 21:51:44 +00:00
networking.firewall.trustedInterfaces = [ "lo" ];
nixos/firewall: Add the ability to specify additional packages for extraCommands
2015-07-26 23:32:59 +00:00
environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages;
* A very basic firewall that rejects all incoming connections except for the ports defined in networking.firewall.allowedTCPPorts. svn path=/nixos/branches/modular-nixos/; revision=16460
2009-07-24 23:12:52 +00:00
firewall: disable conntrack helper autoloading by default This was disabled in the Linux kernel since 4.7 and poses a security risk if not configured properly. https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=486dcf43da7815baa615822f3e46883ccca5400f
2017-01-22 16:29:38 +00:00
boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack")
++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;
boot.extraModprobeConfig = optionalString cfg.autoLoadConntrackHelpers ''
options nf_conntrack nf_conntrack_helper=1
firewall: options to select connection-tracking helpers My main reason for adding this is the ability to turn off helpers altogether. If you are not using any of the special protocols, keeping them turned off is safest, and in case you do want to use them, it's best to configure them through the new CT target for your network topology. Perhaps some sane defaults for nixos can be examined in the future. This change has no impact if you don't touch the added options, so no need to adapt.
2012-10-12 11:16:33 +00:00
'';
* Enable FTP connection tracking in the firewall. svn path=/nixos/trunk/; revision=26275
2011-03-11 13:34:17 +00:00
firewall service: add support for loose reverse path filter check (#19122)
2016-10-08 12:26:52 +00:00
assertions = [ { assertion = (cfg.checkReversePath != false) || kernelHasRPFilter;
firewall: options to select connection-tracking helpers My main reason for adding this is the ability to turn off helpers altogether. If you are not using any of the special protocols, keeping them turned off is safest, and in case you do want to use them, it's best to configure them through the new CT target for your network topology. Perhaps some sane defaults for nixos can be examined in the future. This change has no impact if you don't touch the added options, so no need to adapt.
2012-10-12 11:16:33 +00:00
message = "This kernel does not support rpfilter"; }
];
* Enable FTP connection tracking in the firewall. svn path=/nixos/trunk/; revision=26275
2011-03-11 13:34:17 +00:00
nixos/firewall: Cleanup in case reload fails
2014-09-16 08:15:10 +00:00
systemd.services.firewall = {
description = "Firewall";
nixos: Fix ordering of firewall.service Follow-up to the following commits: abdc5961c3cdf9f5893ea1e91ba08ff5089f53a4: Fix starting the firewall e090701e2d09aec3e8866ab9a8e53c37973ffeb4: Order before sysinit Solely use sysinit.target here instead of multi-user.target because we want to make sure that the iptables rules are applied *before* any socket units are started. The reason I've dropped the wantedBy on multi-user.target is that sysinit.target is already a part of the dependency chain of multi-user.target. To make sure that this holds true, I've added a small test case to ensure that during switch of the configuration the firewall.service is considered as well. Tested using the firewall NixOS test. Signed-off-by: aszlig <aszlig@redmoonstudios.org> Cc: @edolstra
2016-09-07 12:18:32 +00:00
wantedBy = [ "sysinit.target" ];
Fix starting the firewall Probably as a result of 992c514a20cf2da897db68169d7dcab721e8c7b7, it was not being started anymore. My understanding of systemd.special(7) (section "Special passive system units") is that the firewall should want network-pre.target, rather than the other way around (not very intuitive...). This in itself does not cause the firewall to be wanted, which is why the wanted-by relationship with multi-user.target is necessary. http://hydra.nixos.org/build/39965589
2016-09-07 12:24:54 +00:00
wants = [ "network-pre.target" ];
nixos: Add network-pre.target and adjust firewall start ordering
2014-12-02 01:19:06 +00:00
before = [ "network-pre.target" ];
after = [ "systemd-modules-load.service" ];
nixos/firewall: Don't allow traffic during reload
2014-09-16 03:04:31 +00:00
nixos/firewall: Add the ability to specify additional packages for extraCommands
2015-07-26 23:32:59 +00:00
path = [ pkgs.iptables ] ++ cfg.extraPackages;
nixos/firewall: Cleanup in case reload fails
2014-09-16 08:15:10 +00:00
# FIXME: this module may also try to load kernel modules, but
firewall: Improve the comments (documentation) (#21862) * Fix the FW names FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw. * Update the comment (documentation) at the top Order the chains of the main table alphabetically (like in the rest of the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop (used while reloading the firewall). * Refactor the module (mainly comments) - Move some attributes to the top for better visibility (that should hopefully make it easier to read and understand this module without jumping around too much). - Add some missing examples and improve some descriptions. - Reorder the mkOption attributes for consistency. - Wrap lines at 72 characters. - Use two spaces between sentences.
2017-01-18 16:18:11 +00:00
# containers don't have CAP_SYS_MODULE. So the host system had
nixos/firewall: Cleanup in case reload fails
2014-09-16 08:15:10 +00:00
# better have all necessary modules already loaded.
unitConfig.ConditionCapability = "CAP_NET_ADMIN";
nixos: Fix ordering of firewall.service Follow-up to the following commits: abdc5961c3cdf9f5893ea1e91ba08ff5089f53a4: Fix starting the firewall e090701e2d09aec3e8866ab9a8e53c37973ffeb4: Order before sysinit Solely use sysinit.target here instead of multi-user.target because we want to make sure that the iptables rules are applied *before* any socket units are started. The reason I've dropped the wantedBy on multi-user.target is that sysinit.target is already a part of the dependency chain of multi-user.target. To make sure that this holds true, I've added a small test case to ensure that during switch of the configuration the firewall.service is considered as well. Tested using the firewall NixOS test. Signed-off-by: aszlig <aszlig@redmoonstudios.org> Cc: @edolstra
2016-09-07 12:18:32 +00:00
unitConfig.DefaultDependencies = false;
nixos/firewall: Cleanup in case reload fails
2014-09-16 08:15:10 +00:00
reloadIfChanged = true;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "@${startScript} firewall-start";
ExecReload = "@${reloadScript} firewall-reload";
ExecStop = "@${stopScript} firewall-stop";
* A very basic firewall that rejects all incoming connections except for the ports defined in networking.firewall.allowedTCPPorts. svn path=/nixos/branches/modular-nixos/; revision=16460
2009-07-24 23:12:52 +00:00
};
nixos/firewall: Cleanup in case reload fails
2014-09-16 08:15:10 +00:00
};
* A very basic firewall that rejects all incoming connections except for the ports defined in networking.firewall.allowedTCPPorts. svn path=/nixos/branches/modular-nixos/; revision=16460
2009-07-24 23:12:52 +00:00
};
}
Reference in New Issue Copy Permalink