firewall: add support for TCP/UDP port ranges
This is useful for packages like mosh, which use a wide UDP port range by default for incoming connections. Signed-off-by: Austin Seipp <aseipp@pobox.com>
This commit is contained in:
parent
0df7152c8f
commit
fc9022bea1
@ -128,6 +128,17 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPortRanges = mkOption {
|
||||
default = [];
|
||||
example = [ { from = 8999; to = 9003; } ];
|
||||
type = types.listOf (types.attrsOf types.int);
|
||||
description =
|
||||
''
|
||||
A range of TCP ports on which incoming connections are
|
||||
accepted.
|
||||
'';
|
||||
};
|
||||
|
||||
networking.firewall.allowedUDPPorts = mkOption {
|
||||
default = [];
|
||||
example = [ 53 ];
|
||||
@ -138,6 +149,16 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
networking.firewall.allowedUDPPortRanges = mkOption {
|
||||
default = [];
|
||||
example = [ { from = 60000; to = 61000; } ];
|
||||
type = types.listOf (types.attrsOf types.int);
|
||||
description =
|
||||
''
|
||||
Range of open UDP ports.
|
||||
'';
|
||||
};
|
||||
|
||||
networking.firewall.allowPing = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
@ -322,6 +343,15 @@ in
|
||||
) cfg.allowedTCPPorts
|
||||
}
|
||||
|
||||
# Accept connections to the allowed TCP port ranges.
|
||||
${concatMapStrings (rangeAttr:
|
||||
let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in
|
||||
''
|
||||
ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept
|
||||
''
|
||||
) cfg.allowedTCPPortRanges
|
||||
}
|
||||
|
||||
# Accept packets on the allowed UDP ports.
|
||||
${concatMapStrings (port:
|
||||
''
|
||||
@ -330,6 +360,15 @@ in
|
||||
) cfg.allowedUDPPorts
|
||||
}
|
||||
|
||||
# Accept packets on the allowed UDP port ranges.
|
||||
${concatMapStrings (rangeAttr:
|
||||
let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in
|
||||
''
|
||||
ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept
|
||||
''
|
||||
) cfg.allowedUDPPortRanges
|
||||
}
|
||||
|
||||
# Accept IPv4 multicast. Not a big security risk since
|
||||
# probably nobody is listening anyway.
|
||||
#iptables -A nixos-fw -d 224.0.0.0/4 -j nixos-fw-accept
|
||||
|
Loading…
Reference in New Issue
Block a user