diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2017-01-22 17:29:38 +0100 |
---|---|---|
committer | Franz Pletz <fpletz@fnordicwalking.de> | 2017-01-25 01:14:04 +0100 |
commit | 8322a12ef2ce6ea5a239b2221aa6f9a2fe84d904 (patch) | |
tree | f1057f2cff72dbccb3f3c7f72067c3fa76916dcd | |
parent | 403fdd737eb353734591ee59711f8c5d26ca4f90 (diff) | |
download | nixpkgs-8322a12ef2ce6ea5a239b2221aa6f9a2fe84d904.tar nixpkgs-8322a12ef2ce6ea5a239b2221aa6f9a2fe84d904.tar.gz nixpkgs-8322a12ef2ce6ea5a239b2221aa6f9a2fe84d904.tar.bz2 nixpkgs-8322a12ef2ce6ea5a239b2221aa6f9a2fe84d904.tar.lz nixpkgs-8322a12ef2ce6ea5a239b2221aa6f9a2fe84d904.tar.xz nixpkgs-8322a12ef2ce6ea5a239b2221aa6f9a2fe84d904.tar.zst nixpkgs-8322a12ef2ce6ea5a239b2221aa6f9a2fe84d904.zip |
firewall: disable conntrack helper autoloading by default
This was disabled in the Linux kernel since 4.7 and poses a security risk if not configured properly. https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=486dcf43da7815baa615822f3e46883ccca5400f
-rw-r--r-- | nixos/modules/services/networking/firewall.nix | 17 | ||||
-rw-r--r-- | nixos/tests/nat.nix | 3 |
2 files changed, 10 insertions, 10 deletions
diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 0b0ee57cf7a..34b731ad35c 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -425,7 +425,7 @@ in networking.firewall.connectionTrackingModules = mkOption { type = types.listOf types.str; - default = [ "ftp" ]; + default = [ ]; example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]; description = '' @@ -434,9 +434,11 @@ in As helpers can pose as a security risk, it is advised to set this to an empty list and disable the setting - networking.firewall.autoLoadConntrackHelpers + networking.firewall.autoLoadConntrackHelpers unless you + know what you are doing. Connection tracking is disabled + by default. - Loading of helpers is recommended to be done through the new + Loading of helpers is recommended to be done through the CT target. More info: https://home.regit.org/netfilter-en/secure-use-of-helpers/ ''; @@ -444,7 +446,7 @@ in networking.firewall.autoLoadConntrackHelpers = mkOption { type = types.bool; - default = true; + default = false; description = '' Whether to auto-load connection-tracking helpers. @@ -504,9 +506,10 @@ in environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages; - boot.kernelModules = map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; - boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) '' - options nf_conntrack nf_conntrack_helper=0 + boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack") + ++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; + boot.extraModprobeConfig = optionalString cfg.autoLoadConntrackHelpers '' + options nf_conntrack nf_conntrack_helper=1 ''; assertions = [ { assertion = (cfg.checkReversePath != false) || kernelHasRPFilter; diff --git a/nixos/tests/nat.nix b/nixos/tests/nat.nix index 4fbf6446268..b16260be38c 100644 --- a/nixos/tests/nat.nix +++ b/nixos/tests/nat.nix @@ -65,9 +65,6 @@ import ./make-test.nix ({ pkgs, withFirewall, ... }: $server->succeed("echo Hello World > /home/ftp/foo.txt"); $client->succeed("curl -v ftp://server/foo.txt >&2"); - # Test whether active FTP works. - $client->succeed("curl -v -P - ftp://server/foo.txt >&2"); - # Test ICMP. $client->succeed("ping -c 1 router >&2"); $router->succeed("ping -c 1 client >&2"); |