diff options
Diffstat (limited to 'nixos/modules/services/networking/firewall.nix')
-rw-r--r-- | nixos/modules/services/networking/firewall.nix | 44 |
1 files changed, 22 insertions, 22 deletions
diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index c213a5516a4..48cb83e344e 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -258,7 +258,7 @@ let apply = canonicalizePortList; example = [ 22 80 ]; description = - '' + lib.mdDoc '' List of TCP ports on which incoming connections are accepted. ''; @@ -269,7 +269,7 @@ let default = [ ]; example = [ { from = 8999; to = 9003; } ]; description = - '' + lib.mdDoc '' A range of TCP ports on which incoming connections are accepted. ''; @@ -281,7 +281,7 @@ let apply = canonicalizePortList; example = [ 53 ]; description = - '' + lib.mdDoc '' List of open UDP ports. ''; }; @@ -291,7 +291,7 @@ let default = [ ]; example = [ { from = 60000; to = 61000; } ]; description = - '' + lib.mdDoc '' Range of open UDP ports. ''; }; @@ -310,7 +310,7 @@ in type = types.bool; default = true; description = - '' + lib.mdDoc '' Whether to enable the firewall. This is a simple stateful firewall that blocks connection attempts to unauthorised TCP or UDP ports on this machine. It does not affect packet @@ -324,7 +324,7 @@ in defaultText = literalExpression "pkgs.iptables"; example = literalExpression "pkgs.iptables-legacy"; description = - '' + lib.mdDoc '' The iptables package to use for running the firewall service." ''; }; @@ -333,7 +333,7 @@ in type = types.bool; default = true; description = - '' + lib.mdDoc '' Whether to log rejected or dropped incoming connections. Note: The logs are found in the kernel logs, i.e. dmesg or journalctl -k. @@ -344,7 +344,7 @@ in type = types.bool; default = false; description = - '' + lib.mdDoc '' Whether to log all rejected or dropped incoming packets. This tends to give a lot of log messages, so it's mostly useful for debugging. @@ -357,8 +357,8 @@ in type = types.bool; default = true; description = - '' - If <option>networking.firewall.logRefusedPackets</option> + lib.mdDoc '' + If {option}`networking.firewall.logRefusedPackets` and this option are enabled, then only log packets specifically directed at this machine, i.e., not broadcasts or multicasts. @@ -369,7 +369,7 @@ in type = types.bool; default = false; description = - '' + lib.mdDoc '' If set, refused packets are rejected rather than dropped (ignored). This means that an ICMP "port unreachable" error message is sent back to the client (or a TCP RST packet in @@ -383,7 +383,7 @@ in default = [ ]; example = [ "enp0s2" ]; description = - '' + lib.mdDoc '' Traffic coming in from these interfaces will be accepted unconditionally. Traffic from the loopback (lo) interface will always be accepted. @@ -394,7 +394,7 @@ in type = types.bool; default = true; description = - '' + lib.mdDoc '' Whether to respond to incoming ICMPv4 echo requests ("pings"). ICMPv6 pings are always allowed because the larger address space of IPv6 makes network scanning much @@ -407,7 +407,7 @@ in default = null; example = "--limit 1/minute --limit-burst 5"; description = - '' + lib.mdDoc '' If pings are allowed, this allows setting rate limits on them. If non-null, this option should be in the form of flags like "--limit 1/minute --limit-burst 5" @@ -420,7 +420,7 @@ in defaultText = literalDocBook "<literal>true</literal> if supported by the chosen kernel"; example = "loose"; description = - '' + lib.mdDoc '' Performs a reverse path filter test on a packet. If a reply to the packet would not be sent via the same interface that the packet arrived on, it is refused. @@ -440,7 +440,7 @@ in type = types.bool; default = false; description = - '' + lib.mdDoc '' Logs dropped packets failing the reverse path filter test if the option networking.firewall.checkReversePath is enabled. ''; @@ -451,7 +451,7 @@ in default = [ ]; example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]; description = - '' + lib.mdDoc '' List of connection-tracking helpers that are auto-loaded. The complete list of possible values is given in the example. @@ -471,7 +471,7 @@ in type = types.bool; default = false; description = - '' + lib.mdDoc '' Whether to auto-load connection-tracking helpers. See the description at networking.firewall.connectionTrackingModules @@ -484,7 +484,7 @@ in default = ""; example = "iptables -A INPUT -p icmp -j ACCEPT"; description = - '' + lib.mdDoc '' Additional shell commands executed as part of the firewall initialisation script. These are executed just before the final "reject" firewall rule is added, so they can be used @@ -497,7 +497,7 @@ in default = [ ]; example = literalExpression "[ pkgs.ipset ]"; description = - '' + lib.mdDoc '' Additional packages to be included in the environment of the system as well as the path of networking.firewall.extraCommands. ''; @@ -508,7 +508,7 @@ in default = ""; example = "iptables -P INPUT ACCEPT"; description = - '' + lib.mdDoc '' Additional shell commands executed as part of the firewall shutdown script. These are executed just after the removal of the NixOS input rule, or if the service enters a failed @@ -520,7 +520,7 @@ in default = { }; type = with types; attrsOf (submodule [ { options = commonOptions; } ]); description = - '' + lib.mdDoc '' Interface-specific open ports. ''; }; |