b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

* A very basic firewall that rejects all incoming connections except

Browse source 
for the ports defined in networking.firewall.allowedTCPPorts.

svn path=/nixos/branches/modular-nixos/; revision=16460
This commit is contained in:
Eelco Dolstra 2009-07-24 23:12:52 +00:00
parent 38d594deec
commit 264b49fce7
2 changed files with 74 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

70
modules/services/networking/firewall.nix Normal file
View file

@ -0,0 +1,70 @@
{pkgs, config, ...}:
let
iptables = "${pkgs.iptables}/sbin/iptables";
in
{
###### interface
options = {
networking.firewall.allowedTCPPorts = pkgs.lib.mkOption {
default = [];
example = [22 80];
type = pkgs.lib.types.list pkgs.lib.types.int;
description =
''
List of TCP ports on which incoming connections are
accepted.
'';
};
};
###### implementation
config = {
environment.systemPackages = [pkgs.iptables];
jobs = pkgs.lib.singleton
{ name = "firewall";
preStart =
''
${iptables} -F
# Accept all traffic on the loopback interface.
${iptables} -A INPUT -i lo -j ACCEPT
# Accept packets from established or related connections.
${iptables} -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Accept connections to the allowed TCP ports.
${pkgs.lib.concatMapStrings (port:
''
${iptables} -A INPUT -p tcp --dport ${toString port} -j ACCEPT
''
) config.networking.firewall.allowedTCPPorts
}
# Drop everything else.
${iptables} -A INPUT -j DROP
'';
postStop =
''
${iptables} -F
'';
};
networking.firewall.allowedTCPPorts = [22];
};
}

4
modules/services/networking/ssh/sshd.nix
View file

@ -131,6 +131,10 @@ in
exec = "${openssh}/sbin/sshd -D -h /etc/ssh/ssh_host_dsa_key -f ${sshdConfig}";
};
# !!! This barfs because of the mkIf ("value is a list while an
#attribute set was expected") :-(
#networking.firewall.allowedTCPPorts = [22];
};
}