public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/firewall: per-interface port options

Browse Source
This commit is contained in:
gnidorah 2018-05-29 22:10:25 +03:00
parent 0450c7f5f3
commit c60c8aa759
1 changed files with 228 additions and 207 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

159
nixos/modules/services/networking/firewall.nix
View File

@ -148,38 +148,42 @@ let
ip46tables -A nixos-fw -m conntrack --ctstate ESTABLISHED,RELATED -j nixos-fw-accept ip46tables -A nixos-fw -m conntrack --ctstate ESTABLISHED,RELATED -j nixos-fw-accept
# Accept connections to the allowed TCP ports. # Accept connections to the allowed TCP ports.
${concatMapStrings (port: ${concatStrings (mapAttrsToList (iface: cfg:
concatMapStrings (port:
'' ''
ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
'' ''
) cfg.allowedTCPPorts ) cfg.allowedTCPPorts
} ) cfg.interfaces)}
# Accept connections to the allowed TCP port ranges. # Accept connections to the allowed TCP port ranges.
${concatMapStrings (rangeAttr: ${concatStrings (mapAttrsToList (iface: cfg:
concatMapStrings (rangeAttr:
let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in
'' ''
ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
'' ''
) cfg.allowedTCPPortRanges ) cfg.allowedTCPPortRanges
} ) cfg.interfaces)}
# Accept packets on the allowed UDP ports. # Accept packets on the allowed UDP ports.
${concatMapStrings (port: ${concatStrings (mapAttrsToList (iface: cfg:
concatMapStrings (port:
'' ''
ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
'' ''
) cfg.allowedUDPPorts ) cfg.allowedUDPPorts
} ) cfg.interfaces)}
# Accept packets on the allowed UDP port ranges. # Accept packets on the allowed UDP port ranges.
${concatMapStrings (rangeAttr: ${concatStrings (mapAttrsToList (iface: cfg:
concatMapStrings (rangeAttr:
let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in
'' ''
ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
'' ''
) cfg.allowedUDPPortRanges ) cfg.allowedUDPPortRanges
} ) cfg.interfaces)}
# Accept IPv4 multicast. Not a big security risk since # Accept IPv4 multicast. Not a big security risk since
# probably nobody is listening anyway. # probably nobody is listening anyway.
@ -254,6 +258,50 @@ let
fi fi
''; '';
commonOptions = {
allowedTCPPorts = mkOption {
type = types.listOf types.int;
default = [ ];
example = [ 22 80 ];
description =
''
List of TCP ports on which incoming connections are
accepted.
'';
};
allowedTCPPortRanges = mkOption {
type = types.listOf (types.attrsOf types.int);
default = [ ];
example = [ { from = 8999; to = 9003; } ];
description =
''
A range of TCP ports on which incoming connections are
accepted.
'';
};
allowedUDPPorts = mkOption {
type = types.listOf types.int;
default = [ ];
example = [ 53 ];
description =
''
List of open UDP ports.
'';
};
allowedUDPPortRanges = mkOption {
type = types.listOf (types.attrsOf types.int);
default = [ ];
example = [ { from = 60000; to = 61000; } ];
description =
''
Range of open UDP ports.
'';
};
};
in in
{ {
@ -262,7 +310,8 @@ in
options = { options = {
networking.firewall.enable = mkOption { networking.firewall = {
enable = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;
description = description =
@ -274,7 +323,7 @@ in
''; '';
}; };
networking.firewall.logRefusedConnections = mkOption { logRefusedConnections = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;
description = description =
@ -283,7 +332,7 @@ in
''; '';
}; };
networking.firewall.logRefusedPackets = mkOption { logRefusedPackets = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = description =
@ -294,7 +343,7 @@ in
''; '';
}; };
networking.firewall.logRefusedUnicastsOnly = mkOption { logRefusedUnicastsOnly = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;
description = description =
@ -306,7 +355,7 @@ in
''; '';
}; };
networking.firewall.rejectPackets = mkOption { rejectPackets = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = description =
@ -319,7 +368,7 @@ in
''; '';
}; };
networking.firewall.trustedInterfaces = mkOption { trustedInterfaces = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ ]; default = [ ];
example = [ "enp0s2" ]; example = [ "enp0s2" ];
@ -331,49 +380,7 @@ in
''; '';
}; };
networking.firewall.allowedTCPPorts = mkOption { allowPing = mkOption {
type = types.listOf types.int;
default = [ ];
example = [ 22 80 ];
description =
''
List of TCP ports on which incoming connections are
accepted.
'';
};
networking.firewall.allowedTCPPortRanges = mkOption {
type = types.listOf (types.attrsOf types.int);
default = [ ];
example = [ { from = 8999; to = 9003; } ];
description =
''
A range of TCP ports on which incoming connections are
accepted.
'';
};
networking.firewall.allowedUDPPorts = mkOption {
type = types.listOf types.int;
default = [ ];
example = [ 53 ];
description =
''
List of open UDP ports.
'';
};
networking.firewall.allowedUDPPortRanges = mkOption {
type = types.listOf (types.attrsOf types.int);
default = [ ];
example = [ { from = 60000; to = 61000; } ];
description =
''
Range of open UDP ports.
'';
};
networking.firewall.allowPing = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;
description = description =
@ -385,7 +392,7 @@ in
''; '';
}; };
networking.firewall.pingLimit = mkOption { pingLimit = mkOption {
type = types.nullOr (types.separatedString " "); type = types.nullOr (types.separatedString " ");
default = null; default = null;
example = "--limit 1/minute --limit-burst 5"; example = "--limit 1/minute --limit-burst 5";
@ -397,7 +404,7 @@ in
''; '';
}; };
networking.firewall.checkReversePath = mkOption { checkReversePath = mkOption {
type = types.either types.bool (types.enum ["strict" "loose"]); type = types.either types.bool (types.enum ["strict" "loose"]);
default = kernelHasRPFilter; default = kernelHasRPFilter;
example = "loose"; example = "loose";
@ -420,7 +427,7 @@ in
''; '';
}; };
networking.firewall.logReversePathDrops = mkOption { logReversePathDrops = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = description =
@ -430,7 +437,7 @@ in
''; '';
}; };
networking.firewall.connectionTrackingModules = mkOption { connectionTrackingModules = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ ]; default = [ ];
example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]; example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ];
@ -451,7 +458,7 @@ in
''; '';
}; };
networking.firewall.autoLoadConntrackHelpers = mkOption { autoLoadConntrackHelpers = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = description =
@ -463,7 +470,7 @@ in
''; '';
}; };
networking.firewall.extraCommands = mkOption { extraCommands = mkOption {
type = types.lines; type = types.lines;
default = ""; default = "";
example = "iptables -A INPUT -p icmp -j ACCEPT"; example = "iptables -A INPUT -p icmp -j ACCEPT";
@ -476,7 +483,7 @@ in
''; '';
}; };
networking.firewall.extraPackages = mkOption { extraPackages = mkOption {
type = types.listOf types.package; type = types.listOf types.package;
default = [ ]; default = [ ];
example = literalExample "[ pkgs.ipset ]"; example = literalExample "[ pkgs.ipset ]";
@ -487,7 +494,7 @@ in
''; '';
}; };
networking.firewall.extraStopCommands = mkOption { extraStopCommands = mkOption {
type = types.lines; type = types.lines;
default = ""; default = "";
example = "iptables -P INPUT ACCEPT"; example = "iptables -P INPUT ACCEPT";
@ -500,6 +507,20 @@ in
''; '';
}; };
interfaces = mkOption {
default = {
default = mapAttrs (name: value: cfg."${name}") commonOptions;
};
type = with types; attrsOf (submodule [ { options = commonOptions; } ]);
description =
''
Interface-specific open ports. Setting this value will override
all values of the <literal>networking.firewall.allowed*</literal>
options.
'';
};
} // commonOptions;
}; };