* Firewall: by default, only log rejected TCP connections. Otherwise

you get a lot of garbage in the log. Also, an option to reject instead of drop packets. svn path=/nixos/trunk/; revision=17505
2009-09-29 14:21:56 +00:00 · 2009-09-29 14:21:56 +00:00 · a5ad5a035e
parent eb1ee3206e
commit a5ad5a035e
1 changed files with 47 additions and 9 deletions
--- a/modules/services/networking/firewall.nix
+++ b/modules/services/networking/firewall.nix
@ -1,9 +1,13 @@
-{pkgs, config, ...}:
+{ config, pkgs, ... }:
+
+with pkgs.lib;

 let

  iptables = "${pkgs.iptables}/sbin/iptables";

+  cfg = config.networking.firewall;
+
 in

 {
@ -12,7 +16,7 @@ in

  options = {
  
-    networking.firewall.enable = pkgs.lib.mkOption {
+    networking.firewall.enable = mkOption {
      default = false;
      description =
        ''
@ -20,10 +24,39 @@ in
        '';
    };
  
-    networking.firewall.allowedTCPPorts = pkgs.lib.mkOption {
+    networking.firewall.logRefusedConnections = mkOption {
+      default = true;
+      description =
+        ''
+          Whether to log rejected or dropped incoming connections.
+        '';
+    };
+  
+    networking.firewall.logRefusedPackets = mkOption {
+      default = false;
+      description =
+        ''
+          Whether to log all rejected or dropped incoming packets.
+          This tends to give a lot of log messages, so it's mostly
+          useful for debugging.
+        '';
+    };
+
+    networking.firewall.rejectPackets = mkOption {
+      default = false;
+      description =
+        ''
+          If set, forbidden packets are rejected rather than dropped
+          (ignored).  This means that a ICMP "port unreachable" error
+          message is sent back to the client.  Rejecting packets makes
+          port scanning somewhat easier.
+        '';
+    };
+  
+    networking.firewall.allowedTCPPorts = mkOption {
      default = [];
      example = [22 80];
-      type = pkgs.lib.types.list pkgs.lib.types.int;
+      type = types.list types.int;
      description =
        ''
          List of TCP ports on which incoming connections are
@ -41,11 +74,11 @@ in
  # doesn't deal with such Upstart jobs properly (it starts them if
  # they are changed, regardless of whether the start condition
  # holds).
-  config = pkgs.lib.mkIf config.networking.firewall.enable {
+  config = mkIf config.networking.firewall.enable {

    environment.systemPackages = [pkgs.iptables];

-    jobs = pkgs.lib.singleton
+    jobs = singleton
      { name = "firewall";

        startOn = "network-interfaces/started";
@ -61,7 +94,7 @@ in
            ${iptables} -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

            # Accept connections to the allowed TCP ports.            
-            ${pkgs.lib.concatMapStrings (port:
+            ${concatMapStrings (port:
                ''
                  ${iptables} -A INPUT -p tcp --dport ${toString port} -j ACCEPT
                ''
@ -73,8 +106,13 @@ in
            ${iptables} -A INPUT -d 224.0.0.0/4 -j ACCEPT

            # Drop everything else.
-            ${iptables} -A INPUT -j LOG --log-level info --log-prefix "firewall: "
-            ${iptables} -A INPUT -j DROP
+            ${optionalString cfg.logRefusedConnections ''
+              ${iptables} -A INPUT -p tcp --syn -j LOG --log-level info --log-prefix "rejected connection: "
+            ''}
+            ${optionalString cfg.logRefusedPackets ''
+              ${iptables} -A INPUT -j LOG --log-level info --log-prefix "rejected packet: "
+            ''}
+            ${iptables} -A INPUT -j ${if cfg.rejectPackets then "REJECT" else "DROP"}
          '';

        postStop =