diff options
| author | Franz Pletz <fpletz@fnordicwalking.de> | 2016-07-31 13:49:24 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-07-31 13:49:24 +0200 |
| commit | 76b21b7adb9542747b65c2c95008e55bb9df8ecd (patch) | |
| tree | 1530cb8af766ada1bf8916c7d461b0cc8b37f24c /nixos/modules/services/networking/firewall.nix | |
| parent | 5088f24dedd7a8905807ff7f5462020f2e5d8d78 (diff) | |
| download | nixpkgs-76b21b7adb9542747b65c2c95008e55bb9df8ecd.tar nixpkgs-76b21b7adb9542747b65c2c95008e55bb9df8ecd.tar.gz nixpkgs-76b21b7adb9542747b65c2c95008e55bb9df8ecd.tar.bz2 nixpkgs-76b21b7adb9542747b65c2c95008e55bb9df8ecd.tar.lz nixpkgs-76b21b7adb9542747b65c2c95008e55bb9df8ecd.tar.xz nixpkgs-76b21b7adb9542747b65c2c95008e55bb9df8ecd.tar.zst nixpkgs-76b21b7adb9542747b65c2c95008e55bb9df8ecd.zip | |
nixos/firewall: Refactor rpfilter, allow DHCPv4 (#17325)
Adds a new chain in the raw table for reverse path filtering and optional logging. A rule to allow serving DHCPv4 was also added as it is commonly needed and poses no security risk even when no DHCPv4 server is running. Fixes #10101.
Diffstat (limited to 'nixos/modules/services/networking/firewall.nix')
| -rw-r--r-- | nixos/modules/services/networking/firewall.nix | 33 |
1 files changed, 27 insertions, 6 deletions
diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 9221fe15577..138153306dd 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -101,9 +101,22 @@ let # Perform a reverse-path test to refuse spoofers # For now, we just drop, as the raw table doesn't have a log-refuse yet ${optionalString (kernelHasRPFilter && cfg.checkReversePath) '' - if ! ip46tables -A PREROUTING -t raw -m rpfilter --invert -j DROP; then - echo "<2>failed to initialise rpfilter support" >&2 - fi + # Clean up rpfilter rules + ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2> /dev/null || true + ip46tables -t raw -F nixos-fw-rpfilter 2> /dev/null || true + ip46tables -t raw -N nixos-fw-rpfilter 2> /dev/null || true + + ip46tables -t raw -A nixos-fw-rpfilter -m rpfilter -j RETURN + + # Allows this host to act as a DHCPv4 server + iptables -t raw -A nixos-fw-rpfilter -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j RETURN + + ${optionalString cfg.logReversePathDrops '' + ip46tables -t raw -A nixos-fw-rpfilter -j LOG --log-level info --log-prefix "rpfilter drop: " + ''} + ip46tables -t raw -A nixos-fw-rpfilter -j DROP + + ip46tables -t raw -A PREROUTING -j nixos-fw-rpfilter ''} # Accept all traffic on the trusted interfaces. @@ -188,9 +201,7 @@ let ip46tables -D INPUT -j nixos-fw 2>/dev/null || true ${optionalString (kernelHasRPFilter && cfg.checkReversePath) '' - if ! ip46tables -D PREROUTING -t raw -m rpfilter --invert -j DROP; then - echo "<2>failed to stop rpfilter support" >&2 - fi + ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2>/dev/null || true ''} ${cfg.extraStopCommands} @@ -376,6 +387,16 @@ in ''; }; + networking.firewall.logReversePathDrops = mkOption { + default = false; + type = types.bool; + description = + '' + Logs dropped packets failing the reverse path filter test if + the option networking.firewall.checkReversePath is enabled. + ''; + }; + networking.firewall.connectionTrackingModules = mkOption { default = [ "ftp" ]; example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]; |