2009-09-29 15:21:56 +01:00
|
|
|
{ config, pkgs, ... }:
|
|
|
|
|
|
|
|
with pkgs.lib;
|
2009-07-25 00:12:52 +01:00
|
|
|
|
|
|
|
let
|
|
|
|
|
2009-09-29 15:21:56 +01:00
|
|
|
cfg = config.networking.firewall;
|
|
|
|
|
2009-07-25 00:12:52 +01:00
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
###### interface
|
|
|
|
|
|
|
|
options = {
|
|
|
|
|
2009-09-29 15:21:56 +01:00
|
|
|
networking.firewall.enable = mkOption {
|
2009-07-26 22:27:35 +01:00
|
|
|
default = false;
|
|
|
|
description =
|
|
|
|
''
|
|
|
|
Whether to enable the firewall.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2009-09-29 15:21:56 +01:00
|
|
|
networking.firewall.logRefusedConnections = mkOption {
|
|
|
|
default = true;
|
|
|
|
description =
|
|
|
|
''
|
|
|
|
Whether to log rejected or dropped incoming connections.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
networking.firewall.logRefusedPackets = mkOption {
|
|
|
|
default = false;
|
|
|
|
description =
|
|
|
|
''
|
|
|
|
Whether to log all rejected or dropped incoming packets.
|
|
|
|
This tends to give a lot of log messages, so it's mostly
|
|
|
|
useful for debugging.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
networking.firewall.rejectPackets = mkOption {
|
|
|
|
default = false;
|
|
|
|
description =
|
|
|
|
''
|
|
|
|
If set, forbidden packets are rejected rather than dropped
|
|
|
|
(ignored). This means that a ICMP "port unreachable" error
|
|
|
|
message is sent back to the client. Rejecting packets makes
|
|
|
|
port scanning somewhat easier.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
networking.firewall.allowedTCPPorts = mkOption {
|
2009-07-25 00:12:52 +01:00
|
|
|
default = [];
|
2011-03-09 16:37:16 +00:00
|
|
|
example = [ 22 80 ];
|
2009-09-29 15:21:56 +01:00
|
|
|
type = types.list types.int;
|
2009-07-25 00:12:52 +01:00
|
|
|
description =
|
|
|
|
''
|
|
|
|
List of TCP ports on which incoming connections are
|
|
|
|
accepted.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2011-03-09 16:37:16 +00:00
|
|
|
networking.firewall.allowedUDPPorts = mkOption {
|
|
|
|
default = [];
|
|
|
|
example = [ 53 ];
|
|
|
|
type = types.list types.int;
|
|
|
|
description =
|
|
|
|
''
|
|
|
|
List of open UDP ports.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2011-03-09 15:28:47 +00:00
|
|
|
networking.firewall.allowPing = mkOption {
|
|
|
|
default = false;
|
|
|
|
type = types.bool;
|
|
|
|
description =
|
|
|
|
''
|
|
|
|
Whether to respond to incoming ICMP echo requests ("pings").
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2009-07-25 00:12:52 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
###### implementation
|
2009-07-26 22:27:35 +01:00
|
|
|
|
|
|
|
# !!! Maybe if `enable' is false, the firewall should still be built
|
|
|
|
# but not started by default. However, currently nixos-rebuild
|
|
|
|
# doesn't deal with such Upstart jobs properly (it starts them if
|
|
|
|
# they are changed, regardless of whether the start condition
|
|
|
|
# holds).
|
2009-09-29 15:21:56 +01:00
|
|
|
config = mkIf config.networking.firewall.enable {
|
2009-07-25 00:12:52 +01:00
|
|
|
|
2011-03-09 12:28:44 +00:00
|
|
|
environment.systemPackages = [ pkgs.iptables ];
|
2009-07-25 00:12:52 +01:00
|
|
|
|
2009-10-12 19:09:34 +01:00
|
|
|
jobs.firewall =
|
2009-11-06 22:19:17 +00:00
|
|
|
{ startOn = "started network-interfaces";
|
2009-07-26 22:27:35 +01:00
|
|
|
|
2011-03-09 12:28:44 +00:00
|
|
|
path = [ pkgs.iptables ];
|
|
|
|
|
2009-07-25 00:12:52 +01:00
|
|
|
preStart =
|
|
|
|
''
|
2011-03-09 14:41:48 +00:00
|
|
|
# Helper command to manipulate both the IPv4 and IPv6 filters.
|
|
|
|
ip46tables() {
|
|
|
|
iptables "$@"
|
|
|
|
ip6tables "$@"
|
|
|
|
}
|
|
|
|
|
|
|
|
ip46tables -F
|
2011-03-09 15:11:01 +00:00
|
|
|
ip46tables -X # flush unused chains
|
|
|
|
ip46tables -P INPUT DROP
|
|
|
|
|
|
|
|
|
|
|
|
# The "FW_REFUSE" chain performs logging and
|
|
|
|
# rejecting/dropping of packets.
|
|
|
|
ip46tables -N FW_REFUSE
|
|
|
|
|
|
|
|
${optionalString cfg.logRefusedConnections ''
|
|
|
|
ip46tables -A FW_REFUSE -p tcp --syn -j LOG --log-level info --log-prefix "rejected connection: "
|
|
|
|
''}
|
|
|
|
${optionalString cfg.logRefusedPackets ''
|
|
|
|
ip46tables -A FW_REFUSE -j LOG --log-level info --log-prefix "rejected packet: "
|
|
|
|
''}
|
|
|
|
|
|
|
|
ip46tables -A FW_REFUSE -j ${if cfg.rejectPackets then "REJECT" else "DROP"}
|
|
|
|
|
2009-07-25 00:12:52 +01:00
|
|
|
|
|
|
|
# Accept all traffic on the loopback interface.
|
2011-03-09 14:41:48 +00:00
|
|
|
ip46tables -A INPUT -i lo -j ACCEPT
|
2009-07-25 00:12:52 +01:00
|
|
|
|
|
|
|
# Accept packets from established or related connections.
|
2011-03-09 14:41:48 +00:00
|
|
|
ip46tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
2009-07-25 00:12:52 +01:00
|
|
|
|
2011-03-09 14:41:48 +00:00
|
|
|
# Accept connections to the allowed TCP ports.
|
2009-09-29 15:21:56 +01:00
|
|
|
${concatMapStrings (port:
|
2009-07-25 00:12:52 +01:00
|
|
|
''
|
2011-03-09 14:41:48 +00:00
|
|
|
ip46tables -A INPUT -p tcp --dport ${toString port} -j ACCEPT
|
2009-07-25 00:12:52 +01:00
|
|
|
''
|
|
|
|
) config.networking.firewall.allowedTCPPorts
|
|
|
|
}
|
|
|
|
|
2011-03-09 16:37:16 +00:00
|
|
|
# Accept packets on the allowed UDP ports.
|
|
|
|
${concatMapStrings (port:
|
|
|
|
''
|
|
|
|
ip46tables -A INPUT -p udp --dport ${toString port} -j ACCEPT
|
|
|
|
''
|
|
|
|
) config.networking.firewall.allowedUDPPorts
|
|
|
|
}
|
|
|
|
|
2011-03-09 14:41:48 +00:00
|
|
|
# Accept IPv4 multicast. Not a big security risk since
|
2009-08-10 19:25:09 +01:00
|
|
|
# probably nobody is listening anyway.
|
2011-03-09 12:28:44 +00:00
|
|
|
iptables -A INPUT -d 224.0.0.0/4 -j ACCEPT
|
2009-08-10 19:25:09 +01:00
|
|
|
|
2011-03-09 14:41:48 +00:00
|
|
|
# Accept IPv6 ICMP packets on the local link. Otherwise
|
|
|
|
# stuff like neighbor/router solicitation won't work.
|
|
|
|
ip6tables -A INPUT -s fe80::/10 -p icmpv6 -j ACCEPT
|
2011-03-09 16:37:16 +00:00
|
|
|
ip6tables -A INPUT -d fe80::/10 -p icmpv6 -j ACCEPT
|
2011-03-09 14:41:48 +00:00
|
|
|
|
2011-03-09 15:28:47 +00:00
|
|
|
# Optionally respond to pings.
|
|
|
|
${optionalString cfg.allowPing ''
|
|
|
|
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
|
|
|
|
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
|
|
|
|
''}
|
|
|
|
|
2011-03-09 15:11:01 +00:00
|
|
|
# Reject/drop everything else.
|
|
|
|
ip46tables -A INPUT -j FW_REFUSE
|
2009-07-25 00:12:52 +01:00
|
|
|
'';
|
|
|
|
|
|
|
|
postStop =
|
|
|
|
''
|
2011-03-09 12:28:44 +00:00
|
|
|
iptables -F
|
2011-03-09 15:11:01 +00:00
|
|
|
iptables -P INPUT ACCEPT
|
2011-03-09 14:41:48 +00:00
|
|
|
ip6tables -F
|
2011-03-09 15:11:01 +00:00
|
|
|
ip6tables -P INPUT ACCEPT
|
2011-03-09 12:28:44 +00:00
|
|
|
'';
|
2009-07-25 00:12:52 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
}
|