diff options
| author | Mathijs Kwik <mathijs@bluescreen303.nl> | 2012-10-12 13:09:19 +0200 |
|---|---|---|
| committer | Mathijs Kwik <mathijs@bluescreen303.nl> | 2012-10-13 09:59:31 +0200 |
| commit | 6c62de6a31a17951d06981a2f6e21d8324c07786 (patch) | |
| tree | c84894222eb74fd2fed1ebf351b029ffef01d2bc /modules/services/networking/firewall.nix | |
| parent | e40146de16a8edf5e63b92057d0a7abca745182d (diff) | |
| download | nixpkgs-6c62de6a31a17951d06981a2f6e21d8324c07786.tar nixpkgs-6c62de6a31a17951d06981a2f6e21d8324c07786.tar.gz nixpkgs-6c62de6a31a17951d06981a2f6e21d8324c07786.tar.bz2 nixpkgs-6c62de6a31a17951d06981a2f6e21d8324c07786.tar.lz nixpkgs-6c62de6a31a17951d06981a2f6e21d8324c07786.tar.xz nixpkgs-6c62de6a31a17951d06981a2f6e21d8324c07786.tar.zst nixpkgs-6c62de6a31a17951d06981a2f6e21d8324c07786.zip | |
firewall: option to enable the rpfilter netfilter module
This is meant to replace /proc/sys/net/ipv4/conf/*/rp_filter, which only works for ipv4. Furthermore, it's nicer to handle this kind of filtering in the firewall. There are some more subtle differences, please see: https://home.regit.org/netfilter-en/secure-use-of-helpers/ I chose to enable this by default (when the firewall is enabled) as it's a good idea in general. Only people with advanced routing needs might not want this, but I guess they don't use the nixos firewall anyway and use a custom solution. Furthermore, the option only becomes available in kernel 3.3+, so conservative nixos users that just stick to the default kernel will not need to act now just yet.
Diffstat (limited to 'modules/services/networking/firewall.nix')
| -rw-r--r-- | modules/services/networking/firewall.nix | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix index e6ae725f85f..7ea4e593cd1 100644 --- a/modules/services/networking/firewall.nix +++ b/modules/services/networking/firewall.nix @@ -39,6 +39,11 @@ let } ''; + kernelPackages = config.boot.kernelPackages; + kernelHasRPFilter = kernelPackages.kernel ? features + && kernelPackages.kernel.features ? netfilterRPFilter + && kernelPackages.kernel.features.netfilterRPFilter; + in { @@ -140,6 +145,22 @@ in ''; }; + networking.firewall.checkReversePath = mkOption { + default = kernelHasRPFilter; + type = types.bool; + description = + '' + Performs a reverse path filter test on a packet. + If a reply to the packet would not be sent via the same interface + that the packet arrived on, it is refused. + + If using asymmetric routing or other complicated routing, + disable this setting and setup your own counter-measures. + + (needs kernel 3.3+) + ''; + }; + networking.firewall.extraCommands = mkOption { default = ""; example = "iptables -A INPUT -p icmp -j ACCEPT"; @@ -170,6 +191,9 @@ in boot.kernelModules = [ "nf_conntrack_ftp" ]; + assertions = [ { assertion = ! cfg.checkReversePath || kernelHasRPFilter; + message = "This kernel does not support rpfilter"; } ]; + jobs.firewall = { startOn = "started network-interfaces"; @@ -233,6 +257,12 @@ in # The "nixos-fw" chain does the actual work. ip46tables -N nixos-fw + # Perform a reverse-path test to refuse spoofers + # For now, we just drop, as the raw table doesn't have a log-refuse yet + ${optionalString (kernelHasRPFilter && cfg.checkReversePath) '' + ip46tables -A PREROUTING -t raw -m rpfilter --invert -j DROP + ''} + # Accept all traffic on the trusted interfaces. ${flip concatMapStrings cfg.trustedInterfaces (iface: '' ip46tables -A nixos-fw -i ${iface} -j nixos-fw-accept |