diff options
| author | Peter Simons <simons@cryp.to> | 2011-09-14 18:20:50 +0000 |
|---|---|---|
| committer | Peter Simons <simons@cryp.to> | 2011-09-14 18:20:50 +0000 |
| commit | eb6e1310b8774f3aed4c5675d09708f0df6199d3 (patch) | |
| tree | 3297542b3cda78d38731abb65837f4553cd377a9 /modules/services/networking/firewall.nix | |
| parent | f5e8d35f8e76755febf97ca8f62b0700a8b6d20a (diff) | |
| download | nixpkgs-eb6e1310b8774f3aed4c5675d09708f0df6199d3.tar nixpkgs-eb6e1310b8774f3aed4c5675d09708f0df6199d3.tar.gz nixpkgs-eb6e1310b8774f3aed4c5675d09708f0df6199d3.tar.bz2 nixpkgs-eb6e1310b8774f3aed4c5675d09708f0df6199d3.tar.lz nixpkgs-eb6e1310b8774f3aed4c5675d09708f0df6199d3.tar.xz nixpkgs-eb6e1310b8774f3aed4c5675d09708f0df6199d3.tar.zst nixpkgs-eb6e1310b8774f3aed4c5675d09708f0df6199d3.zip | |
strip trailing whitespace; no functional change
svn path=/nixos/trunk/; revision=29285
Diffstat (limited to 'modules/services/networking/firewall.nix')
| -rw-r--r-- | modules/services/networking/firewall.nix | 24 |
1 files changed, 12 insertions, 12 deletions
diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix index b4083d3c9e2..64cfcef124a 100644 --- a/modules/services/networking/firewall.nix +++ b/modules/services/networking/firewall.nix @@ -5,7 +5,7 @@ uses several chains: - ‘nixos-fw-input’ is the main chain for input packet processing. - + - ‘nixos-fw-log-refuse’ and ‘nixos-fw-refuse’ are called for refused packets. (The former jumps to the latter after logging the packet.) If you want additional logging, or want to accept @@ -17,7 +17,7 @@ can insert rules at the start of this chain. */ - + { config, pkgs, ... }: @@ -44,7 +44,7 @@ in ###### interface options = { - + networking.firewall.enable = mkOption { default = false; description = @@ -55,7 +55,7 @@ in forwarding. ''; }; - + networking.firewall.logRefusedConnections = mkOption { default = true; description = @@ -63,7 +63,7 @@ in Whether to log rejected or dropped incoming connections. ''; }; - + networking.firewall.logRefusedPackets = mkOption { default = false; description = @@ -95,7 +95,7 @@ in port scanning somewhat easier. ''; }; - + networking.firewall.allowedTCPPorts = mkOption { default = []; example = [ 22 80 ]; @@ -106,7 +106,7 @@ in accepted. ''; }; - + networking.firewall.allowedUDPPorts = mkOption { default = []; example = [ 53 ]; @@ -116,7 +116,7 @@ in List of open UDP ports. ''; }; - + networking.firewall.allowPing = mkOption { default = false; type = types.bool; @@ -128,7 +128,7 @@ in less effective. ''; }; - + networking.firewall.extraCommands = mkOption { default = ""; example = "iptables -A INPUT -p icmp -j ACCEPT"; @@ -140,7 +140,7 @@ in to allow packets that would otherwise be refused. ''; }; - + }; @@ -184,7 +184,7 @@ in # The "nixos-fw-refuse" chain rejects or drops packets. ip46tables -N nixos-fw-refuse - + ${if cfg.rejectPackets then '' # Send a reset for existing TCP connections that we've # somehow forgotten about. Send ICMP "port unreachable" @@ -219,7 +219,7 @@ in # The "nixos-fw" chain does the actual work. ip46tables -N nixos-fw - + # Accept all traffic on the loopback interface. ip46tables -A nixos-fw -i lo -j nixos-fw-accept |