diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2011-03-10 09:39:17 +0000 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2011-03-10 09:39:17 +0000 |
commit | d6424efbfbe8baafbebaa8eda50c84bebf8937a6 (patch) | |
tree | c8829bc7e154ca6db506d44e2926e4c5bd7ea54b /modules | |
parent | e884cbed7d96a5d15bc8f22f18fd8bfdb91024d7 (diff) | |
download | nixpkgs-d6424efbfbe8baafbebaa8eda50c84bebf8937a6.tar nixpkgs-d6424efbfbe8baafbebaa8eda50c84bebf8937a6.tar.gz nixpkgs-d6424efbfbe8baafbebaa8eda50c84bebf8937a6.tar.bz2 nixpkgs-d6424efbfbe8baafbebaa8eda50c84bebf8937a6.tar.lz nixpkgs-d6424efbfbe8baafbebaa8eda50c84bebf8937a6.tar.xz nixpkgs-d6424efbfbe8baafbebaa8eda50c84bebf8937a6.tar.zst nixpkgs-d6424efbfbe8baafbebaa8eda50c84bebf8937a6.zip |
* Cleanup.
svn path=/nixos/trunk/; revision=26244
Diffstat (limited to 'modules')
-rw-r--r-- | modules/services/networking/firewall.nix | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix index c7ccc65ca37..30ba36e27d0 100644 --- a/modules/services/networking/firewall.nix +++ b/modules/services/networking/firewall.nix @@ -1,3 +1,5 @@ +# This module enables a simple firewall. + { config, pkgs, ... }: with pkgs.lib; @@ -18,7 +20,10 @@ in default = false; description = '' - Whether to enable the firewall. + Whether to enable the firewall. This is a simple stateful + firewall that blocks connection attempts to unauthorised TCP + or UDP ports on this machine. It does not affect packet + forwarding. ''; }; @@ -91,7 +96,7 @@ in # doesn't deal with such Upstart jobs properly (it starts them if # they are changed, regardless of whether the start condition # holds). - config = mkIf config.networking.firewall.enable { + config = mkIf cfg.enable { environment.systemPackages = [ pkgs.iptables ]; @@ -102,7 +107,7 @@ in preStart = '' - # Helper command to manipulate both the IPv4 and IPv6 filters. + # Helper command to manipulate both the IPv4 and IPv6 tables. ip46tables() { iptables "$@" ip6tables "$@" @@ -138,7 +143,7 @@ in '' ip46tables -A INPUT -p tcp --dport ${toString port} -j ACCEPT '' - ) config.networking.firewall.allowedTCPPorts + ) cfg.allowedTCPPorts } # Accept packets on the allowed UDP ports. @@ -146,7 +151,7 @@ in '' ip46tables -A INPUT -p udp --dport ${toString port} -j ACCEPT '' - ) config.networking.firewall.allowedUDPPorts + ) cfg.allowedUDPPorts } # Accept IPv4 multicast. Not a big security risk since |