public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

firewall: disable conntrack helper autoloading by default

Browse Source 
This was disabled in the Linux kernel since 4.7 and poses a security risk
if not configured properly.

https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=486dcf43da7815baa615822f3e46883ccca5400f
This commit is contained in:
Franz Pletz 2017-01-22 17:29:38 +01:00
parent 403fdd737e
commit 8322a12ef2
No known key found for this signature in database
GPG Key ID: 846FDED7792617B4
2 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
nixos/modules/services/networking/firewall.nix
View File

@ -425,7 +425,7 @@ in
networking.firewall.connectionTrackingModules = mkOption { networking.firewall.connectionTrackingModules = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ "ftp" ]; default = [ ];
example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]; example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ];
description = description =
'' ''
@ -434,9 +434,11 @@ in
As helpers can pose as a security risk, it is advised to As helpers can pose as a security risk, it is advised to
set this to an empty list and disable the setting set this to an empty list and disable the setting
networking.firewall.autoLoadConntrackHelpers networking.firewall.autoLoadConntrackHelpers unless you
know what you are doing. Connection tracking is disabled
by default.
Loading of helpers is recommended to be done through the new Loading of helpers is recommended to be done through the
CT target. More info: CT target. More info:
https://home.regit.org/netfilter-en/secure-use-of-helpers/ https://home.regit.org/netfilter-en/secure-use-of-helpers/
''; '';
@ -444,7 +446,7 @@ in
networking.firewall.autoLoadConntrackHelpers = mkOption { networking.firewall.autoLoadConntrackHelpers = mkOption {
type = types.bool; type = types.bool;
default = true; default = false;
description = description =
'' ''
Whether to auto-load connection-tracking helpers. Whether to auto-load connection-tracking helpers.
@ -504,9 +506,10 @@ in
environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages; environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages;
boot.kernelModules = map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack")
boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) '' ++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;
options nf_conntrack nf_conntrack_helper=0 boot.extraModprobeConfig = optionalString cfg.autoLoadConntrackHelpers ''
options nf_conntrack nf_conntrack_helper=1
''; '';
assertions = [ { assertion = (cfg.checkReversePath != false) || kernelHasRPFilter; assertions = [ { assertion = (cfg.checkReversePath != false) || kernelHasRPFilter;

3
nixos/tests/nat.nix
View File

@ -65,9 +65,6 @@ import ./make-test.nix ({ pkgs, withFirewall, ... }:
$server->succeed("echo Hello World > /home/ftp/foo.txt"); $server->succeed("echo Hello World > /home/ftp/foo.txt");
$client->succeed("curl -v ftp://server/foo.txt >&2"); $client->succeed("curl -v ftp://server/foo.txt >&2");
# Test whether active FTP works.
$client->succeed("curl -v -P - ftp://server/foo.txt >&2");
# Test ICMP. # Test ICMP.
$client->succeed("ping -c 1 router >&2"); $client->succeed("ping -c 1 router >&2");
$router->succeed("ping -c 1 client >&2"); $router->succeed("ping -c 1 client >&2");