public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

firewall: add support for TCP/UDP port ranges

Browse Source 
This is useful for packages like mosh, which use a wide UDP port range
by default for incoming connections.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
This commit is contained in:
Austin Seipp 2014-02-19 05:19:19 -06:00 committed by Domen Kožar
parent 0df7152c8f
commit fc9022bea1
1 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
nixos/modules/services/networking/firewall.nix
View File

@ -128,6 +128,17 @@ in
''; '';
}; };
networking.firewall.allowedTCPPortRanges = mkOption {
default = [];
example = [ { from = 8999; to = 9003; } ];
type = types.listOf (types.attrsOf types.int);
description =
''
A range of TCP ports on which incoming connections are
accepted.
'';
};
networking.firewall.allowedUDPPorts = mkOption { networking.firewall.allowedUDPPorts = mkOption {
default = []; default = [];
example = [ 53 ]; example = [ 53 ];
@ -138,6 +149,16 @@ in
''; '';
}; };
networking.firewall.allowedUDPPortRanges = mkOption {
default = [];
example = [ { from = 60000; to = 61000; } ];
type = types.listOf (types.attrsOf types.int);
description =
''
Range of open UDP ports.
'';
};
networking.firewall.allowPing = mkOption { networking.firewall.allowPing = mkOption {
default = false; default = false;
type = types.bool; type = types.bool;
@ -322,6 +343,15 @@ in
) cfg.allowedTCPPorts ) cfg.allowedTCPPorts
} }
# Accept connections to the allowed TCP port ranges.
${concatMapStrings (rangeAttr:
let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in
''
ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept
''
) cfg.allowedTCPPortRanges
}
# Accept packets on the allowed UDP ports. # Accept packets on the allowed UDP ports.
${concatMapStrings (port: ${concatMapStrings (port:
'' ''
@ -330,6 +360,15 @@ in
) cfg.allowedUDPPorts ) cfg.allowedUDPPorts
} }
# Accept packets on the allowed UDP port ranges.
${concatMapStrings (rangeAttr:
let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in
''
ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept
''
) cfg.allowedUDPPortRanges
}
# Accept IPv4 multicast. Not a big security risk since # Accept IPv4 multicast. Not a big security risk since
# probably nobody is listening anyway. # probably nobody is listening anyway.
#iptables -A nixos-fw -d 224.0.0.0/4 -j nixos-fw-accept #iptables -A nixos-fw -d 224.0.0.0/4 -j nixos-fw-accept