* Cleanup.
svn path=/nixos/trunk/; revision=26228
This commit is contained in:
Eelco Dolstra
parent
6f1068b0b7
commit
843e1f6c1e
@ -4,8 +4,6 @@ with pkgs.lib;
|
|||||||
|
|
||||||
let
|
let
|
||||||
|
|
||||||
iptables = "${pkgs.iptables}/sbin/iptables";
|
|
||||||
|
|
||||||
cfg = config.networking.firewall;
|
cfg = config.networking.firewall;
|
||||||
|
|
||||||
in
|
in
|
||||||
@ -76,47 +74,49 @@ in
|
|||||||
# holds).
|
# holds).
|
||||||
config = mkIf config.networking.firewall.enable {
|
config = mkIf config.networking.firewall.enable {
|
||||||
|
|
||||||
environment.systemPackages = [pkgs.iptables];
|
environment.systemPackages = [ pkgs.iptables ];
|
||||||
|
|
||||||
jobs.firewall =
|
jobs.firewall =
|
||||||
{ startOn = "started network-interfaces";
|
{ startOn = "started network-interfaces";
|
||||||
|
|
||||||
|
path = [ pkgs.iptables ];
|
||||||
|
|
||||||
preStart =
|
preStart =
|
||||||
''
|
''
|
||||||
${iptables} -F
|
iptables -F
|
||||||
|
|
||||||
# Accept all traffic on the loopback interface.
|
# Accept all traffic on the loopback interface.
|
||||||
${iptables} -A INPUT -i lo -j ACCEPT
|
iptables -A INPUT -i lo -j ACCEPT
|
||||||
|
|
||||||
# Accept packets from established or related connections.
|
# Accept packets from established or related connections.
|
||||||
${iptables} -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
|
||||||
# Accept connections to the allowed TCP ports.
|
# Accept connections to the allowed TCP ports.
|
||||||
${concatMapStrings (port:
|
${concatMapStrings (port:
|
||||||
''
|
''
|
||||||
${iptables} -A INPUT -p tcp --dport ${toString port} -j ACCEPT
|
iptables -A INPUT -p tcp --dport ${toString port} -j ACCEPT
|
||||||
''
|
''
|
||||||
) config.networking.firewall.allowedTCPPorts
|
) config.networking.firewall.allowedTCPPorts
|
||||||
}
|
}
|
||||||
|
|
||||||
# Accept multicast. Not a big security risk since
|
# Accept multicast. Not a big security risk since
|
||||||
# probably nobody is listening anyway.
|
# probably nobody is listening anyway.
|
||||||
${iptables} -A INPUT -d 224.0.0.0/4 -j ACCEPT
|
iptables -A INPUT -d 224.0.0.0/4 -j ACCEPT
|
||||||
|
|
||||||
# Drop everything else.
|
# Drop everything else.
|
||||||
${optionalString cfg.logRefusedConnections ''
|
${optionalString cfg.logRefusedConnections ''
|
||||||
${iptables} -A INPUT -p tcp --syn -j LOG --log-level info --log-prefix "rejected connection: "
|
iptables -A INPUT -p tcp --syn -j LOG --log-level info --log-prefix "rejected connection: "
|
||||||
''}
|
''}
|
||||||
${optionalString cfg.logRefusedPackets ''
|
${optionalString cfg.logRefusedPackets ''
|
||||||
${iptables} -A INPUT -j LOG --log-level info --log-prefix "rejected packet: "
|
iptables -A INPUT -j LOG --log-level info --log-prefix "rejected packet: "
|
||||||
''}
|
''}
|
||||||
${iptables} -A INPUT -j ${if cfg.rejectPackets then "REJECT" else "DROP"}
|
iptables -A INPUT -j ${if cfg.rejectPackets then "REJECT" else "DROP"}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
postStop =
|
postStop =
|
||||||
''
|
''
|
||||||
${iptables} -F
|
iptables -F
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|||||||
@ -162,9 +162,10 @@ in
|
|||||||
|
|
||||||
startOn = "stopped udevtrigger";
|
startOn = "stopped udevtrigger";
|
||||||
|
|
||||||
|
path = [ config.system.sbin.modprobe pkgs.iproute ];
|
||||||
|
|
||||||
preStart =
|
preStart =
|
||||||
''
|
''
|
||||||
export PATH=${config.system.sbin.modprobe}/sbin:${pkgs.iproute}/sbin:$PATH
|
|
||||||
modprobe af_packet || true
|
modprobe af_packet || true
|
||||||
|
|
||||||
${pkgs.lib.concatMapStrings (i:
|
${pkgs.lib.concatMapStrings (i:
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user