From a5ad5a035ed7be53b7dd37746c10e9182e799e2c Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 29 Sep 2009 14:21:56 +0000 Subject: [PATCH] * Firewall: by default, only log rejected TCP connections. Otherwise you get a lot of garbage in the log. Also, an option to reject instead of drop packets. svn path=/nixos/trunk/; revision=17505 --- modules/services/networking/firewall.nix | 56 ++++++++++++++++++++---- 1 file changed, 47 insertions(+), 9 deletions(-) diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix index 85f883301344..f577f0e3bf1c 100644 --- a/modules/services/networking/firewall.nix +++ b/modules/services/networking/firewall.nix @@ -1,9 +1,13 @@ -{pkgs, config, ...}: +{ config, pkgs, ... }: + +with pkgs.lib; let iptables = "${pkgs.iptables}/sbin/iptables"; + cfg = config.networking.firewall; + in { @@ -12,7 +16,7 @@ in options = { - networking.firewall.enable = pkgs.lib.mkOption { + networking.firewall.enable = mkOption { default = false; description = '' @@ -20,10 +24,39 @@ in ''; }; - networking.firewall.allowedTCPPorts = pkgs.lib.mkOption { + networking.firewall.logRefusedConnections = mkOption { + default = true; + description = + '' + Whether to log rejected or dropped incoming connections. + ''; + }; + + networking.firewall.logRefusedPackets = mkOption { + default = false; + description = + '' + Whether to log all rejected or dropped incoming packets. + This tends to give a lot of log messages, so it's mostly + useful for debugging. + ''; + }; + + networking.firewall.rejectPackets = mkOption { + default = false; + description = + '' + If set, forbidden packets are rejected rather than dropped + (ignored). This means that a ICMP "port unreachable" error + message is sent back to the client. Rejecting packets makes + port scanning somewhat easier. + ''; + }; + + networking.firewall.allowedTCPPorts = mkOption { default = []; example = [22 80]; - type = pkgs.lib.types.list pkgs.lib.types.int; + type = types.list types.int; description = '' List of TCP ports on which incoming connections are @@ -41,11 +74,11 @@ in # doesn't deal with such Upstart jobs properly (it starts them if # they are changed, regardless of whether the start condition # holds). - config = pkgs.lib.mkIf config.networking.firewall.enable { + config = mkIf config.networking.firewall.enable { environment.systemPackages = [pkgs.iptables]; - jobs = pkgs.lib.singleton + jobs = singleton { name = "firewall"; startOn = "network-interfaces/started"; @@ -61,7 +94,7 @@ in ${iptables} -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Accept connections to the allowed TCP ports. - ${pkgs.lib.concatMapStrings (port: + ${concatMapStrings (port: '' ${iptables} -A INPUT -p tcp --dport ${toString port} -j ACCEPT '' @@ -73,8 +106,13 @@ in ${iptables} -A INPUT -d 224.0.0.0/4 -j ACCEPT # Drop everything else. - ${iptables} -A INPUT -j LOG --log-level info --log-prefix "firewall: " - ${iptables} -A INPUT -j DROP + ${optionalString cfg.logRefusedConnections '' + ${iptables} -A INPUT -p tcp --syn -j LOG --log-level info --log-prefix "rejected connection: " + ''} + ${optionalString cfg.logRefusedPackets '' + ${iptables} -A INPUT -j LOG --log-level info --log-prefix "rejected packet: " + ''} + ${iptables} -A INPUT -j ${if cfg.rejectPackets then "REJECT" else "DROP"} ''; postStop =