firewall: option to enable the rpfilter netfilter module
This is meant to replace /proc/sys/net/ipv4/conf/*/rp_filter, which only works for ipv4. Furthermore, it's nicer to handle this kind of filtering in the firewall. There are some more subtle differences, please see: https://home.regit.org/netfilter-en/secure-use-of-helpers/ I chose to enable this by default (when the firewall is enabled) as it's a good idea in general. Only people with advanced routing needs might not want this, but I guess they don't use the nixos firewall anyway and use a custom solution. Furthermore, the option only becomes available in kernel 3.3+, so conservative nixos users that just stick to the default kernel will not need to act now just yet.
This commit is contained in:
Mathijs Kwik
parent
e40146de16
commit
6c62de6a31
@ -39,6 +39,11 @@ let
|
|||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
kernelPackages = config.boot.kernelPackages;
|
||||||
|
kernelHasRPFilter = kernelPackages.kernel ? features
|
||||||
|
&& kernelPackages.kernel.features ? netfilterRPFilter
|
||||||
|
&& kernelPackages.kernel.features.netfilterRPFilter;
|
||||||
|
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
@ -140,6 +145,22 @@ in
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
networking.firewall.checkReversePath = mkOption {
|
||||||
|
default = kernelHasRPFilter;
|
||||||
|
type = types.bool;
|
||||||
|
description =
|
||||||
|
''
|
||||||
|
Performs a reverse path filter test on a packet.
|
||||||
|
If a reply to the packet would not be sent via the same interface
|
||||||
|
that the packet arrived on, it is refused.
|
||||||
|
|
||||||
|
If using asymmetric routing or other complicated routing,
|
||||||
|
disable this setting and setup your own counter-measures.
|
||||||
|
|
||||||
|
(needs kernel 3.3+)
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
networking.firewall.extraCommands = mkOption {
|
networking.firewall.extraCommands = mkOption {
|
||||||
default = "";
|
default = "";
|
||||||
example = "iptables -A INPUT -p icmp -j ACCEPT";
|
example = "iptables -A INPUT -p icmp -j ACCEPT";
|
||||||
@ -170,6 +191,9 @@ in
|
|||||||
|
|
||||||
boot.kernelModules = [ "nf_conntrack_ftp" ];
|
boot.kernelModules = [ "nf_conntrack_ftp" ];
|
||||||
|
|
||||||
|
assertions = [ { assertion = ! cfg.checkReversePath || kernelHasRPFilter;
|
||||||
|
message = "This kernel does not support rpfilter"; } ];
|
||||||
|
|
||||||
jobs.firewall =
|
jobs.firewall =
|
||||||
{ startOn = "started network-interfaces";
|
{ startOn = "started network-interfaces";
|
||||||
|
|
||||||
@ -233,6 +257,12 @@ in
|
|||||||
# The "nixos-fw" chain does the actual work.
|
# The "nixos-fw" chain does the actual work.
|
||||||
ip46tables -N nixos-fw
|
ip46tables -N nixos-fw
|
||||||
|
|
||||||
|
# Perform a reverse-path test to refuse spoofers
|
||||||
|
# For now, we just drop, as the raw table doesn't have a log-refuse yet
|
||||||
|
${optionalString (kernelHasRPFilter && cfg.checkReversePath) ''
|
||||||
|
ip46tables -A PREROUTING -t raw -m rpfilter --invert -j DROP
|
||||||
|
''}
|
||||||
|
|
||||||
# Accept all traffic on the trusted interfaces.
|
# Accept all traffic on the trusted interfaces.
|
||||||
${flip concatMapStrings cfg.trustedInterfaces (iface: ''
|
${flip concatMapStrings cfg.trustedInterfaces (iface: ''
|
||||||
ip46tables -A nixos-fw -i ${iface} -j nixos-fw-accept
|
ip46tables -A nixos-fw -i ${iface} -j nixos-fw-accept
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user