diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2011-03-09 15:11:01 +0000 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2011-03-09 15:11:01 +0000 |
commit | e4051e105c2dc677e7a4650e0c8a9d4053b3b836 (patch) | |
tree | 66275d005b21077e7ed3ed422c5e9f67774cdcd9 /modules/services/networking/firewall.nix | |
parent | 66716f9dd5901ad6fc0df78114d69bcfa91d4967 (diff) | |
download | nixpkgs-e4051e105c2dc677e7a4650e0c8a9d4053b3b836.tar nixpkgs-e4051e105c2dc677e7a4650e0c8a9d4053b3b836.tar.gz nixpkgs-e4051e105c2dc677e7a4650e0c8a9d4053b3b836.tar.bz2 nixpkgs-e4051e105c2dc677e7a4650e0c8a9d4053b3b836.tar.lz nixpkgs-e4051e105c2dc677e7a4650e0c8a9d4053b3b836.tar.xz nixpkgs-e4051e105c2dc677e7a4650e0c8a9d4053b3b836.tar.zst nixpkgs-e4051e105c2dc677e7a4650e0c8a9d4053b3b836.zip |
* Use a separate chain for logging and rejecting.
svn path=/nixos/trunk/; revision=26232
Diffstat (limited to 'modules/services/networking/firewall.nix')
-rw-r--r-- | modules/services/networking/firewall.nix | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix index 0c703caac20..2f0fe4f81c2 100644 --- a/modules/services/networking/firewall.nix +++ b/modules/services/networking/firewall.nix @@ -90,6 +90,23 @@ in } ip46tables -F + ip46tables -X # flush unused chains + ip46tables -P INPUT DROP + + + # The "FW_REFUSE" chain performs logging and + # rejecting/dropping of packets. + ip46tables -N FW_REFUSE + + ${optionalString cfg.logRefusedConnections '' + ip46tables -A FW_REFUSE -p tcp --syn -j LOG --log-level info --log-prefix "rejected connection: " + ''} + ${optionalString cfg.logRefusedPackets '' + ip46tables -A FW_REFUSE -j LOG --log-level info --log-prefix "rejected packet: " + ''} + + ip46tables -A FW_REFUSE -j ${if cfg.rejectPackets then "REJECT" else "DROP"} + # Accept all traffic on the loopback interface. ip46tables -A INPUT -i lo -j ACCEPT @@ -113,20 +130,16 @@ in # stuff like neighbor/router solicitation won't work. ip6tables -A INPUT -s fe80::/10 -p icmpv6 -j ACCEPT - # Drop everything else. - ${optionalString cfg.logRefusedConnections '' - ip46tables -A INPUT -p tcp --syn -j LOG --log-level info --log-prefix "rejected connection: " - ''} - ${optionalString cfg.logRefusedPackets '' - ip46tables -A INPUT -j LOG --log-level info --log-prefix "rejected packet: " - ''} - ip46tables -A INPUT -j ${if cfg.rejectPackets then "REJECT" else "DROP"} + # Reject/drop everything else. + ip46tables -A INPUT -j FW_REFUSE ''; postStop = '' iptables -F + iptables -P INPUT ACCEPT ip6tables -F + ip6tables -P INPUT ACCEPT ''; }; |