diff options
| author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2009-07-26 21:27:35 +0000 |
|---|---|---|
| committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2009-07-26 21:27:35 +0000 |
| commit | f0f5434eaad8efb46496b9e113c8cd1a872665a2 (patch) | |
| tree | 21dc46d36fc74b511597182beb47762d0623b69b | |
| parent | 264b49fce76b52fce46daafdcc706d3d85dd40b0 (diff) | |
| download | nixpkgs-f0f5434eaad8efb46496b9e113c8cd1a872665a2.tar nixpkgs-f0f5434eaad8efb46496b9e113c8cd1a872665a2.tar.gz nixpkgs-f0f5434eaad8efb46496b9e113c8cd1a872665a2.tar.bz2 nixpkgs-f0f5434eaad8efb46496b9e113c8cd1a872665a2.tar.lz nixpkgs-f0f5434eaad8efb46496b9e113c8cd1a872665a2.tar.xz nixpkgs-f0f5434eaad8efb46496b9e113c8cd1a872665a2.tar.zst nixpkgs-f0f5434eaad8efb46496b9e113c8cd1a872665a2.zip | |
* Add an option to enable the firewall. It should eventually be
enabled by default. svn path=/nixos/branches/modular-nixos/; revision=16464
| -rw-r--r-- | modules/module-list.nix | 3 | ||||
| -rw-r--r-- | modules/services/networking/firewall.nix | 21 | ||||
| -rw-r--r-- | modules/services/networking/ssh/sshd.nix | 4 |
3 files changed, 20 insertions, 8 deletions
diff --git a/modules/module-list.nix b/modules/module-list.nix index 429bcfcf1b8..cd37d967066 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -53,6 +53,7 @@ ./services/networking/dhclient.nix ./services/networking/dhcpd.nix ./services/networking/ejabberd.nix + ./services/networking/firewall.nix ./services/networking/gnunet.nix ./services/networking/gw6c.nix ./services/networking/ifplugd.nix @@ -81,9 +82,9 @@ ./services/x11/xserver/default.nix ./services/x11/xserver/desktop-managers/default.nix ./services/x11/xserver/desktop-managers/gnome.nix - ./services/x11/xserver/desktop-managers/kde4.nix ./services/x11/xserver/desktop-managers/kde-environment.nix ./services/x11/xserver/desktop-managers/kde.nix + ./services/x11/xserver/desktop-managers/kde4.nix ./services/x11/xserver/desktop-managers/none.nix ./services/x11/xserver/desktop-managers/xterm.nix ./services/x11/xserver/display-managers/default.nix diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix index a6a5f8fec2b..ef6b3a94472 100644 --- a/modules/services/networking/firewall.nix +++ b/modules/services/networking/firewall.nix @@ -12,6 +12,14 @@ in options = { + networking.firewall.enable = pkgs.lib.mkOption { + default = false; + description = + '' + Whether to enable the firewall. + ''; + }; + networking.firewall.allowedTCPPorts = pkgs.lib.mkOption { default = []; example = [22 80]; @@ -27,14 +35,21 @@ in ###### implementation - - config = { + + # !!! Maybe if `enable' is false, the firewall should still be built + # but not started by default. However, currently nixos-rebuild + # doesn't deal with such Upstart jobs properly (it starts them if + # they are changed, regardless of whether the start condition + # holds). + config = pkgs.lib.mkIf config.networking.firewall.enable { environment.systemPackages = [pkgs.iptables]; jobs = pkgs.lib.singleton { name = "firewall"; + startOn = "network-interfaces/started"; + preStart = '' ${iptables} -F @@ -63,8 +78,6 @@ in ''; }; - networking.firewall.allowedTCPPorts = [22]; - }; } diff --git a/modules/services/networking/ssh/sshd.nix b/modules/services/networking/ssh/sshd.nix index 95b78d69445..ca072e92084 100644 --- a/modules/services/networking/ssh/sshd.nix +++ b/modules/services/networking/ssh/sshd.nix @@ -131,9 +131,7 @@ in exec = "${openssh}/sbin/sshd -D -h /etc/ssh/ssh_host_dsa_key -f ${sshdConfig}"; }; - # !!! This barfs because of the mkIf ("value is a list while an - #attribute set was expected") :-( - #networking.firewall.allowedTCPPorts = [22]; + networking.firewall.allowedTCPPorts = [22]; }; |