ilyakooo0/nixpkgs
1
0
Fork 0
mirror of https://github.com/ilyakooo0/nixpkgs.git synced 2024-11-11 04:02:55 +03:00
Code Issues Projects Releases Wiki Activity

* Use a separate chain for logging and rejecting.

Browse Source 
svn path=/nixos/trunk/; revision=26232
This commit is contained in:
Eelco Dolstra 2011-03-09 15:11:01 +00:00
parent 66716f9dd5
commit e4051e105c
1 changed files with 21 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
modules/services/networking/firewall.nix
View File

@ -90,6 +90,23 @@ in
}
ip46tables -F
ip46tables -X # flush unused chains
ip46tables -P INPUT DROP
# The "FW_REFUSE" chain performs logging and
# rejecting/dropping of packets.
ip46tables -N FW_REFUSE
${optionalString cfg.logRefusedConnections ''
ip46tables -A FW_REFUSE -p tcp --syn -j LOG --log-level info --log-prefix "rejected connection: "
''}
${optionalString cfg.logRefusedPackets ''
ip46tables -A FW_REFUSE -j LOG --log-level info --log-prefix "rejected packet: "
''}
ip46tables -A FW_REFUSE -j ${if cfg.rejectPackets then "REJECT" else "DROP"}
# Accept all traffic on the loopback interface.
ip46tables -A INPUT -i lo -j ACCEPT
@ -113,20 +130,16 @@ in
# stuff like neighbor/router solicitation won't work.
ip6tables -A INPUT -s fe80::/10 -p icmpv6 -j ACCEPT
# Drop everything else.
${optionalString cfg.logRefusedConnections ''
ip46tables -A INPUT -p tcp --syn -j LOG --log-level info --log-prefix "rejected connection: "
''}
${optionalString cfg.logRefusedPackets ''
ip46tables -A INPUT -j LOG --log-level info --log-prefix "rejected packet: "
''}
ip46tables -A INPUT -j ${if cfg.rejectPackets then "REJECT" else "DROP"}
# Reject/drop everything else.
ip46tables -A INPUT -j FW_REFUSE
'';
postStop =
''
iptables -F
iptables -P INPUT ACCEPT
ip6tables -F
ip6tables -P INPUT ACCEPT
'';
};