movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 21:50:33 +03:00
Code Activity

nixos/firewall: Refactor rpfilter, allow DHCPv4 (#17325)

Browse source 
Adds a new chain in the raw table for reverse path filtering and optional
logging. A rule to allow serving DHCPv4 was also added as it is commonly
needed and poses no security risk even when no DHCPv4 server is running.

Fixes #10101.
This commit is contained in:
Franz Pletz 2016-07-31 13:49:24 +02:00 committed by GitHub
parent 5088f24ded
commit 76b21b7adb
1 changed files with 27 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

33
nixos/modules/services/networking/firewall.nix
View file

@ -101,9 +101,22 @@ let
# Perform a reverse-path test to refuse spoofers # Perform a reverse-path test to refuse spoofers
# For now, we just drop, as the raw table doesn't have a log-refuse yet # For now, we just drop, as the raw table doesn't have a log-refuse yet
${optionalString (kernelHasRPFilter && cfg.checkReversePath) '' ${optionalString (kernelHasRPFilter && cfg.checkReversePath) ''
if ! ip46tables -A PREROUTING -t raw -m rpfilter --invert -j DROP; then # Clean up rpfilter rules
echo "<2>failed to initialise rpfilter support" >&2 ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2> /dev/null || true
fi ip46tables -t raw -F nixos-fw-rpfilter 2> /dev/null || true
ip46tables -t raw -N nixos-fw-rpfilter 2> /dev/null || true
ip46tables -t raw -A nixos-fw-rpfilter -m rpfilter -j RETURN
# Allows this host to act as a DHCPv4 server
iptables -t raw -A nixos-fw-rpfilter -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j RETURN
${optionalString cfg.logReversePathDrops ''
ip46tables -t raw -A nixos-fw-rpfilter -j LOG --log-level info --log-prefix "rpfilter drop: "
''}
ip46tables -t raw -A nixos-fw-rpfilter -j DROP
ip46tables -t raw -A PREROUTING -j nixos-fw-rpfilter
''} ''}
# Accept all traffic on the trusted interfaces. # Accept all traffic on the trusted interfaces.
@ -188,9 +201,7 @@ let
ip46tables -D INPUT -j nixos-fw 2>/dev/null || true ip46tables -D INPUT -j nixos-fw 2>/dev/null || true
${optionalString (kernelHasRPFilter && cfg.checkReversePath) '' ${optionalString (kernelHasRPFilter && cfg.checkReversePath) ''
if ! ip46tables -D PREROUTING -t raw -m rpfilter --invert -j DROP; then ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2>/dev/null || true
echo "<2>failed to stop rpfilter support" >&2
fi
''} ''}
${cfg.extraStopCommands} ${cfg.extraStopCommands}
@ -376,6 +387,16 @@ in
''; '';
}; };
networking.firewall.logReversePathDrops = mkOption {
default = false;
type = types.bool;
description =
''
Logs dropped packets failing the reverse path filter test if
the option networking.firewall.checkReversePath is enabled.
'';
};
networking.firewall.connectionTrackingModules = mkOption { networking.firewall.connectionTrackingModules = mkOption {
default = [ "ftp" ]; default = [ "ftp" ];
example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]; example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ];