From 97a3a99b40a2f3183f6c87af4c27664cbd030065 Mon Sep 17 00:00:00 2001 From: Mathijs Kwik Date: Fri, 12 Oct 2012 13:16:33 +0200 Subject: [PATCH] firewall: options to select connection-tracking helpers My main reason for adding this is the ability to turn off helpers altogether. If you are not using any of the special protocols, keeping them turned off is safest, and in case you do want to use them, it's best to configure them through the new CT target for your network topology. Perhaps some sane defaults for nixos can be examined in the future. This change has no impact if you don't touch the added options, so no need to adapt. --- modules/services/networking/firewall.nix | 45 ++++++++++++++++++++++-- 1 file changed, 43 insertions(+), 2 deletions(-) diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix index 7ea4e593cd1..8ddeacf1a0f 100644 --- a/modules/services/networking/firewall.nix +++ b/modules/services/networking/firewall.nix @@ -44,6 +44,10 @@ let && kernelPackages.kernel.features ? netfilterRPFilter && kernelPackages.kernel.features.netfilterRPFilter; + kernelCanDisableHelpers = kernelPackages.kernel ? features + && kernelPackages.kernel.features ? canDisableNetfilterConntrackHelpers + && kernelPackages.kernel.features.canDisableNetfilterConntrackHelpers; + in { @@ -161,6 +165,37 @@ in ''; }; + networking.firewall.connectionTrackingModules = mkOption { + default = [ "ftp" ]; + example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]; + type = types.list types.string; + description = + '' + List of connection-tracking helpers that are auto-loaded. + The complete list of possible values is given in the example. + + As helpers can pose as a security risk, it is adviced to + set this to an empty list and disable the setting + networking.firewall.autoLoadConntrackHelpers + + Loading of helpers is recommended to be done through the new + CT target. More info: + https://home.regit.org/netfilter-en/secure-use-of-helpers/ + ''; + }; + + networking.firewall.autoLoadConntrackHelpers = mkOption { + default = true; + type = types.bool; + description = + '' + Whether to auto-load connection-tracking helpers. + See the description at networking.firewall.connectionTrackingModules + + (needs kernel 3.5+) + ''; + }; + networking.firewall.extraCommands = mkOption { default = ""; example = "iptables -A INPUT -p icmp -j ACCEPT"; @@ -189,10 +224,16 @@ in environment.systemPackages = [ pkgs.iptables ]; - boot.kernelModules = [ "nf_conntrack_ftp" ]; + boot.kernelModules = map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; + boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) '' + options nf_conntrack nf_conntrack_helper=0 + ''; assertions = [ { assertion = ! cfg.checkReversePath || kernelHasRPFilter; - message = "This kernel does not support rpfilter"; } ]; + message = "This kernel does not support rpfilter"; } + { assertion = cfg.autoLoadConntrackHelpers || kernelCanDisableHelpers; + message = "This kernel does not support disabling conntrack helpers"; } + ]; jobs.firewall = { startOn = "started network-interfaces";