summary refs log tree commit diff
path: root/modules/services/networking/firewall.nix
diff options
context:
space:
mode:
authorEelco Dolstra <eelco.dolstra@logicblox.com>2011-03-09 15:11:01 +0000
committerEelco Dolstra <eelco.dolstra@logicblox.com>2011-03-09 15:11:01 +0000
commite4051e105c2dc677e7a4650e0c8a9d4053b3b836 (patch)
tree66275d005b21077e7ed3ed422c5e9f67774cdcd9 /modules/services/networking/firewall.nix
parent66716f9dd5901ad6fc0df78114d69bcfa91d4967 (diff)
downloadnixpkgs-e4051e105c2dc677e7a4650e0c8a9d4053b3b836.tar
nixpkgs-e4051e105c2dc677e7a4650e0c8a9d4053b3b836.tar.gz
nixpkgs-e4051e105c2dc677e7a4650e0c8a9d4053b3b836.tar.bz2
nixpkgs-e4051e105c2dc677e7a4650e0c8a9d4053b3b836.tar.lz
nixpkgs-e4051e105c2dc677e7a4650e0c8a9d4053b3b836.tar.xz
nixpkgs-e4051e105c2dc677e7a4650e0c8a9d4053b3b836.tar.zst
nixpkgs-e4051e105c2dc677e7a4650e0c8a9d4053b3b836.zip
* Use a separate chain for logging and rejecting.
svn path=/nixos/trunk/; revision=26232
Diffstat (limited to 'modules/services/networking/firewall.nix')
-rw-r--r--modules/services/networking/firewall.nix29
1 files changed, 21 insertions, 8 deletions
diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix
index 0c703caac20..2f0fe4f81c2 100644
--- a/modules/services/networking/firewall.nix
+++ b/modules/services/networking/firewall.nix
@@ -90,6 +90,23 @@ in
             }
 
             ip46tables -F
+            ip46tables -X # flush unused chains
+            ip46tables -P INPUT DROP
+
+
+            # The "FW_REFUSE" chain performs logging and
+            # rejecting/dropping of packets.
+            ip46tables -N FW_REFUSE
+
+            ${optionalString cfg.logRefusedConnections ''
+              ip46tables -A FW_REFUSE -p tcp --syn -j LOG --log-level info --log-prefix "rejected connection: "
+            ''}
+            ${optionalString cfg.logRefusedPackets ''
+              ip46tables -A FW_REFUSE -j LOG --log-level info --log-prefix "rejected packet: "
+            ''}
+
+            ip46tables -A FW_REFUSE -j ${if cfg.rejectPackets then "REJECT" else "DROP"}
+
 
             # Accept all traffic on the loopback interface.
             ip46tables -A INPUT -i lo -j ACCEPT
@@ -113,20 +130,16 @@ in
             # stuff like neighbor/router solicitation won't work.
             ip6tables -A INPUT -s fe80::/10 -p icmpv6 -j ACCEPT
 
-            # Drop everything else.
-            ${optionalString cfg.logRefusedConnections ''
-              ip46tables -A INPUT -p tcp --syn -j LOG --log-level info --log-prefix "rejected connection: "
-            ''}
-            ${optionalString cfg.logRefusedPackets ''
-              ip46tables -A INPUT -j LOG --log-level info --log-prefix "rejected packet: "
-            ''}
-            ip46tables -A INPUT -j ${if cfg.rejectPackets then "REJECT" else "DROP"}
+            # Reject/drop everything else.
+            ip46tables -A INPUT -j FW_REFUSE
           '';
 
         postStop =
           ''
             iptables -F
+            iptables -P INPUT ACCEPT
             ip6tables -F
+            ip6tables -P INPUT ACCEPT
           '';
       };
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-31 20:32:36 +0000