public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nftables: make default configuration null 

reason:
 - We currently have an open discussion regarding a more modular
   firewall (https://github.com/NixOS/nixpkgs/issues/23181) and
   leaving null makes future extension easier.
 - the current default might not cover all use cases (different ssh port)
   and might break setups, if applied blindly
This commit is contained in:
Jörg Thalheim 2017-02-26 15:23:01 +01:00
parent ec47fac2c3
commit 6c36d9fa20
No known key found for this signature in database
GPG Key ID: CA4106B8D7CC79FA
1 changed files with 33 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

115
nixos/modules/services/networking/nftables.nix
View File

@ -21,97 +21,48 @@ in
}; };
networking.nftables.ruleset = mkOption { networking.nftables.ruleset = mkOption {
type = types.lines; type = types.lines;
default = example = ''
'' # Check out https://wiki.nftables.org/ for better documentation.
table inet filter { # Table for both IPv4 and IPv6.
# Block all IPv4/IPv6 input traffic except SSH. table inet filter {
chain input { # Block all incomming connections traffic except SSH and "ping".
type filter hook input priority 0; chain input {
ct state invalid reject type filter hook input priority 0;
ct state {established, related} accept
iifname lo accept
tcp dport 22 accept
reject
}
# Allow anything in. # accept any localhost traffic
chain output { iifname lo accept
type filter hook output priority 0;
ct state invalid reject
ct state {established, related} accept
oifname lo accept
accept
}
chain forward { # accept traffic originated from us
type filter hook forward priority 0; ct state {established, related} accept
accept
}
}
'';
example =
''
# Check out http://wiki.nftables.org/ for better documentation.
define LAN = 192.168.0.1/24 # ICMP
# routers may also want: mld-listener-query, nd-router-solicit
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
# Handle IPv4 traffic. # allow "ping"
table ip filter { ip6 nexthdr icmp icmpv6 type echo-request accept
chain input { ip protocol icmp icmp type echo-request accept
type filter hook input priority 0;
# Handle existing connections.
ct state invalid reject
ct state {established, related} accept
# Allow loopback for applications.
iifname lo accept
# Allow people to ping us on LAN.
ip protocol icmp ip daddr $LAN accept
# Allow SSH over LAN.
tcp dport 22 ip daddr $LAN accept
# Reject all other output traffic.
reject
}
chain output { # accept SSH connections (required for a server)
type filter hook output priority 0; tcp dport 22 accept
# Handle existing connections.
ct state invalid reject
ct state {established, related} accept
# Allow loopback for applications.
oifname lo accept
# Allow the Tor user to run its daemon,
# but only on WAN in case of compromise.
skuid tor ip daddr != $LAN accept
# Allowing pinging others on LAN.
ip protocol icmp ip daddr $LAN accept
# Reject all other output traffic.
reject
}
chain forward { # count and drop any other traffic
type filter hook forward priority 0; counter drop
reject
}
} }
# Block all IPv6 traffic. # Allow all outgoing connections.
table ip6 filter { chain output {
chain input { type filter hook output priority 0;
type filter hook input priority 0; accept
reject
}
chain output {
type filter hook output priority 0;
reject
}
chain forward {
type filter hook forward priority 0;
reject
}
} }
'';
chain forward {
type filter hook forward priority 0;
accept
}
}
'';
description = description =
'' ''
The ruleset to be used with nftables. Should be in a format that The ruleset to be used with nftables. Should be in a format that