public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Firewall: by default, only log rejected TCP connections. Otherwise

Browse Source 
you get a lot of garbage in the log.  Also, an option to reject
  instead of drop packets.

svn path=/nixos/trunk/; revision=17505
This commit is contained in:
Eelco Dolstra 2009-09-29 14:21:56 +00:00
parent eb1ee3206e
commit a5ad5a035e
1 changed files with 47 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
modules/services/networking/firewall.nix
View File

@ -1,9 +1,13 @@
{pkgs, config, ...}: { config, pkgs, ... }:
with pkgs.lib;
let let
iptables = "${pkgs.iptables}/sbin/iptables"; iptables = "${pkgs.iptables}/sbin/iptables";
cfg = config.networking.firewall;
in in
{ {
@ -12,7 +16,7 @@ in
options = { options = {
networking.firewall.enable = pkgs.lib.mkOption { networking.firewall.enable = mkOption {
default = false; default = false;
description = description =
'' ''
@ -20,10 +24,39 @@ in
''; '';
}; };
networking.firewall.allowedTCPPorts = pkgs.lib.mkOption { networking.firewall.logRefusedConnections = mkOption {
default = true;
description =
''
Whether to log rejected or dropped incoming connections.
'';
};
networking.firewall.logRefusedPackets = mkOption {
default = false;
description =
''
Whether to log all rejected or dropped incoming packets.
This tends to give a lot of log messages, so it's mostly
useful for debugging.
'';
};
networking.firewall.rejectPackets = mkOption {
default = false;
description =
''
If set, forbidden packets are rejected rather than dropped
(ignored). This means that a ICMP "port unreachable" error
message is sent back to the client. Rejecting packets makes
port scanning somewhat easier.
'';
};
networking.firewall.allowedTCPPorts = mkOption {
default = []; default = [];
example = [22 80]; example = [22 80];
type = pkgs.lib.types.list pkgs.lib.types.int; type = types.list types.int;
description = description =
'' ''
List of TCP ports on which incoming connections are List of TCP ports on which incoming connections are
@ -41,11 +74,11 @@ in
# doesn't deal with such Upstart jobs properly (it starts them if # doesn't deal with such Upstart jobs properly (it starts them if
# they are changed, regardless of whether the start condition # they are changed, regardless of whether the start condition
# holds). # holds).
config = pkgs.lib.mkIf config.networking.firewall.enable { config = mkIf config.networking.firewall.enable {
environment.systemPackages = [pkgs.iptables]; environment.systemPackages = [pkgs.iptables];
jobs = pkgs.lib.singleton jobs = singleton
{ name = "firewall"; { name = "firewall";
startOn = "network-interfaces/started"; startOn = "network-interfaces/started";
@ -61,7 +94,7 @@ in
${iptables} -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ${iptables} -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Accept connections to the allowed TCP ports. # Accept connections to the allowed TCP ports.
${pkgs.lib.concatMapStrings (port: ${concatMapStrings (port:
'' ''
${iptables} -A INPUT -p tcp --dport ${toString port} -j ACCEPT ${iptables} -A INPUT -p tcp --dport ${toString port} -j ACCEPT
'' ''
@ -73,8 +106,13 @@ in
${iptables} -A INPUT -d 224.0.0.0/4 -j ACCEPT ${iptables} -A INPUT -d 224.0.0.0/4 -j ACCEPT
# Drop everything else. # Drop everything else.
${iptables} -A INPUT -j LOG --log-level info --log-prefix "firewall: " ${optionalString cfg.logRefusedConnections ''
${iptables} -A INPUT -j DROP ${iptables} -A INPUT -p tcp --syn -j LOG --log-level info --log-prefix "rejected connection: "
''}
${optionalString cfg.logRefusedPackets ''
${iptables} -A INPUT -j LOG --log-level info --log-prefix "rejected packet: "
''}
${iptables} -A INPUT -j ${if cfg.rejectPackets then "REJECT" else "DROP"}
''; '';
postStop = postStop =