···
ip46tables -A nixos-fw -m conntrack --ctstate ESTABLISHED,RELATED -j nixos-fw-accept
# Accept connections to the allowed TCP ports.
151
-
${concatMapStrings (port:
151
+
${concatStrings (mapAttrsToList (iface: cfg:
152
+
concatMapStrings (port:
153
-
ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept
154
+
ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
# Accept connections to the allowed TCP port ranges.
159
-
${concatMapStrings (rangeAttr:
160
+
${concatStrings (mapAttrsToList (iface: cfg:
161
+
concatMapStrings (rangeAttr:
let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in
162
-
ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept
164
+
ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
) cfg.allowedTCPPortRanges
# Accept packets on the allowed UDP ports.
168
-
${concatMapStrings (port:
170
+
${concatStrings (mapAttrsToList (iface: cfg:
171
+
concatMapStrings (port:
170
-
ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept
173
+
ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
# Accept packets on the allowed UDP port ranges.
176
-
${concatMapStrings (rangeAttr:
179
+
${concatStrings (mapAttrsToList (iface: cfg:
180
+
concatMapStrings (rangeAttr:
let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in
179
-
ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept
183
+
ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}
) cfg.allowedUDPPortRanges
# Accept IPv4 multicast. Not a big security risk since
# probably nobody is listening anyway.
···
265
-
networking.firewall.enable = mkOption {
270
-
Whether to enable the firewall. This is a simple stateful
271
-
firewall that blocks connection attempts to unauthorised TCP
272
-
or UDP ports on this machine. It does not affect packet
277
-
networking.firewall.logRefusedConnections = mkOption {
282
-
Whether to log rejected or dropped incoming connections.
286
-
networking.firewall.logRefusedPackets = mkOption {
291
-
Whether to log all rejected or dropped incoming packets.
292
-
This tends to give a lot of log messages, so it's mostly
293
-
useful for debugging.
297
-
networking.firewall.logRefusedUnicastsOnly = mkOption {
302
-
If <option>networking.firewall.logRefusedPackets</option>
303
-
and this option are enabled, then only log packets
304
-
specifically directed at this machine, i.e., not broadcasts
309
-
networking.firewall.rejectPackets = mkOption {
314
-
If set, refused packets are rejected rather than dropped
315
-
(ignored). This means that an ICMP "port unreachable" error
316
-
message is sent back to the client (or a TCP RST packet in
317
-
case of an existing connection). Rejecting packets makes
318
-
port scanning somewhat easier.
322
-
networking.firewall.trustedInterfaces = mkOption {
323
-
type = types.listOf types.str;
325
-
example = [ "enp0s2" ];
328
-
Traffic coming in from these interfaces will be accepted
329
-
unconditionally. Traffic from the loopback (lo) interface
330
-
will always be accepted.
334
-
networking.firewall.allowedTCPPorts = mkOption {
262
+
allowedTCPPorts = mkOption {
type = types.listOf types.int;
List of TCP ports on which incoming connections are
345
-
networking.firewall.allowedTCPPortRanges = mkOption {
273
+
allowedTCPPortRanges = mkOption {
type = types.listOf (types.attrsOf types.int);
example = [ { from = 8999; to = 9003; } ];
A range of TCP ports on which incoming connections are
356
-
networking.firewall.allowedUDPPorts = mkOption {
284
+
allowedUDPPorts = mkOption {
type = types.listOf types.int;
···
366
-
networking.firewall.allowedUDPPortRanges = mkOption {
294
+
allowedUDPPortRanges = mkOption {
type = types.listOf (types.attrsOf types.int);
example = [ { from = 60000; to = 61000; } ];
···
376
-
networking.firewall.allowPing = mkOption {
381
-
Whether to respond to incoming ICMPv4 echo requests
382
-
("pings"). ICMPv6 pings are always allowed because the
383
-
larger address space of IPv6 makes network scanning much
313
+
networking.firewall = {
314
+
enable = mkOption {
319
+
Whether to enable the firewall. This is a simple stateful
320
+
firewall that blocks connection attempts to unauthorised TCP
321
+
or UDP ports on this machine. It does not affect packet
326
+
logRefusedConnections = mkOption {
331
+
Whether to log rejected or dropped incoming connections.
335
+
logRefusedPackets = mkOption {
340
+
Whether to log all rejected or dropped incoming packets.
341
+
This tends to give a lot of log messages, so it's mostly
342
+
useful for debugging.
346
+
logRefusedUnicastsOnly = mkOption {
351
+
If <option>networking.firewall.logRefusedPackets</option>
352
+
and this option are enabled, then only log packets
353
+
specifically directed at this machine, i.e., not broadcasts
358
+
rejectPackets = mkOption {
363
+
If set, refused packets are rejected rather than dropped
364
+
(ignored). This means that an ICMP "port unreachable" error
365
+
message is sent back to the client (or a TCP RST packet in
366
+
case of an existing connection). Rejecting packets makes
367
+
port scanning somewhat easier.
371
+
trustedInterfaces = mkOption {
372
+
type = types.listOf types.str;
374
+
example = [ "enp0s2" ];
377
+
Traffic coming in from these interfaces will be accepted
378
+
unconditionally. Traffic from the loopback (lo) interface
379
+
will always be accepted.
383
+
allowPing = mkOption {
388
+
Whether to respond to incoming ICMPv4 echo requests
389
+
("pings"). ICMPv6 pings are always allowed because the
390
+
larger address space of IPv6 makes network scanning much
395
+
pingLimit = mkOption {
396
+
type = types.nullOr (types.separatedString " ");
398
+
example = "--limit 1/minute --limit-burst 5";
401
+
If pings are allowed, this allows setting rate limits
402
+
on them. If non-null, this option should be in the form of
403
+
flags like "--limit 1/minute --limit-burst 5"
388
-
networking.firewall.pingLimit = mkOption {
389
-
type = types.nullOr (types.separatedString " ");
391
-
example = "--limit 1/minute --limit-burst 5";
394
-
If pings are allowed, this allows setting rate limits
395
-
on them. If non-null, this option should be in the form of
396
-
flags like "--limit 1/minute --limit-burst 5"
407
+
checkReversePath = mkOption {
408
+
type = types.either types.bool (types.enum ["strict" "loose"]);
409
+
default = kernelHasRPFilter;
413
+
Performs a reverse path filter test on a packet. If a reply
414
+
to the packet would not be sent via the same interface that
415
+
the packet arrived on, it is refused.
400
-
networking.firewall.checkReversePath = mkOption {
401
-
type = types.either types.bool (types.enum ["strict" "loose"]);
402
-
default = kernelHasRPFilter;
406
-
Performs a reverse path filter test on a packet. If a reply
407
-
to the packet would not be sent via the same interface that
408
-
the packet arrived on, it is refused.
417
+
If using asymmetric routing or other complicated routing, set
418
+
this option to loose mode or disable it and setup your own
410
-
If using asymmetric routing or other complicated routing, set
411
-
this option to loose mode or disable it and setup your own
421
+
This option can be either true (or "strict"), "loose" (only
422
+
drop the packet if the source address is not reachable via any
423
+
interface) or false. Defaults to the value of
414
-
This option can be either true (or "strict"), "loose" (only
415
-
drop the packet if the source address is not reachable via any
416
-
interface) or false. Defaults to the value of
426
+
(needs kernel 3.3+)
419
-
(needs kernel 3.3+)
430
+
logReversePathDrops = mkOption {
435
+
Logs dropped packets failing the reverse path filter test if
436
+
the option networking.firewall.checkReversePath is enabled.
423
-
networking.firewall.logReversePathDrops = mkOption {
428
-
Logs dropped packets failing the reverse path filter test if
429
-
the option networking.firewall.checkReversePath is enabled.
440
+
connectionTrackingModules = mkOption {
441
+
type = types.listOf types.str;
443
+
example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ];
446
+
List of connection-tracking helpers that are auto-loaded.
447
+
The complete list of possible values is given in the example.
433
-
networking.firewall.connectionTrackingModules = mkOption {
434
-
type = types.listOf types.str;
436
-
example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ];
439
-
List of connection-tracking helpers that are auto-loaded.
440
-
The complete list of possible values is given in the example.
449
+
As helpers can pose as a security risk, it is advised to
450
+
set this to an empty list and disable the setting
451
+
networking.firewall.autoLoadConntrackHelpers unless you
452
+
know what you are doing. Connection tracking is disabled
442
-
As helpers can pose as a security risk, it is advised to
443
-
set this to an empty list and disable the setting
444
-
networking.firewall.autoLoadConntrackHelpers unless you
445
-
know what you are doing. Connection tracking is disabled
455
+
Loading of helpers is recommended to be done through the
456
+
CT target. More info:
457
+
https://home.regit.org/netfilter-en/secure-use-of-helpers/
448
-
Loading of helpers is recommended to be done through the
449
-
CT target. More info:
450
-
https://home.regit.org/netfilter-en/secure-use-of-helpers/
461
+
autoLoadConntrackHelpers = mkOption {
466
+
Whether to auto-load connection-tracking helpers.
467
+
See the description at networking.firewall.connectionTrackingModules
454
-
networking.firewall.autoLoadConntrackHelpers = mkOption {
459
-
Whether to auto-load connection-tracking helpers.
460
-
See the description at networking.firewall.connectionTrackingModules
469
+
(needs kernel 3.5+)
462
-
(needs kernel 3.5+)
473
+
extraCommands = mkOption {
474
+
type = types.lines;
476
+
example = "iptables -A INPUT -p icmp -j ACCEPT";
479
+
Additional shell commands executed as part of the firewall
480
+
initialisation script. These are executed just before the
481
+
final "reject" firewall rule is added, so they can be used
482
+
to allow packets that would otherwise be refused.
466
-
networking.firewall.extraCommands = mkOption {
467
-
type = types.lines;
469
-
example = "iptables -A INPUT -p icmp -j ACCEPT";
472
-
Additional shell commands executed as part of the firewall
473
-
initialisation script. These are executed just before the
474
-
final "reject" firewall rule is added, so they can be used
475
-
to allow packets that would otherwise be refused.
486
+
extraPackages = mkOption {
487
+
type = types.listOf types.package;
489
+
example = literalExample "[ pkgs.ipset ]";
492
+
Additional packages to be included in the environment of the system
493
+
as well as the path of networking.firewall.extraCommands.
479
-
networking.firewall.extraPackages = mkOption {
480
-
type = types.listOf types.package;
482
-
example = literalExample "[ pkgs.ipset ]";
485
-
Additional packages to be included in the environment of the system
486
-
as well as the path of networking.firewall.extraCommands.
497
+
extraStopCommands = mkOption {
498
+
type = types.lines;
500
+
example = "iptables -P INPUT ACCEPT";
503
+
Additional shell commands executed as part of the firewall
504
+
shutdown script. These are executed just after the removal
505
+
of the NixOS input rule, or if the service enters a failed
490
-
networking.firewall.extraStopCommands = mkOption {
491
-
type = types.lines;
493
-
example = "iptables -P INPUT ACCEPT";
496
-
Additional shell commands executed as part of the firewall
497
-
shutdown script. These are executed just after the removal
498
-
of the NixOS input rule, or if the service enters a failed
510
+
interfaces = mkOption {
512
+
default = mapAttrs (name: value: cfg."${name}") commonOptions;
514
+
type = with types; attrsOf (submodule [ { options = commonOptions; } ]);
517
+
Interface-specific open ports. Setting this value will override
518
+
all values of the <literal>networking.firewall.allowed*</literal>
522
+
} // commonOptions;
pyrox.dev