firewall: option to enable the rpfilter netfilter module
This is meant to replace /proc/sys/net/ipv4/conf/*/rp_filter, which only works for ipv4. Furthermore, it's nicer to handle this kind of filtering in the firewall. There are some more subtle differences, please see: https://home.regit.org/netfilter-en/secure-use-of-helpers/ I chose to enable this by default (when the firewall is enabled) as it's a good idea in general. Only people with advanced routing needs might not want this, but I guess they don't use the nixos firewall anyway and use a custom solution. Furthermore, the option only becomes available in kernel 3.3+, so conservative nixos users that just stick to the default kernel will not need to act now just yet.
This commit is contained in:
parent
e40146de16
commit
6c62de6a31
@ -39,6 +39,11 @@ let
|
||||
}
|
||||
'';
|
||||
|
||||
kernelPackages = config.boot.kernelPackages;
|
||||
kernelHasRPFilter = kernelPackages.kernel ? features
|
||||
&& kernelPackages.kernel.features ? netfilterRPFilter
|
||||
&& kernelPackages.kernel.features.netfilterRPFilter;
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
@ -140,6 +145,22 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
networking.firewall.checkReversePath = mkOption {
|
||||
default = kernelHasRPFilter;
|
||||
type = types.bool;
|
||||
description =
|
||||
''
|
||||
Performs a reverse path filter test on a packet.
|
||||
If a reply to the packet would not be sent via the same interface
|
||||
that the packet arrived on, it is refused.
|
||||
|
||||
If using asymmetric routing or other complicated routing,
|
||||
disable this setting and setup your own counter-measures.
|
||||
|
||||
(needs kernel 3.3+)
|
||||
'';
|
||||
};
|
||||
|
||||
networking.firewall.extraCommands = mkOption {
|
||||
default = "";
|
||||
example = "iptables -A INPUT -p icmp -j ACCEPT";
|
||||
@ -170,6 +191,9 @@ in
|
||||
|
||||
boot.kernelModules = [ "nf_conntrack_ftp" ];
|
||||
|
||||
assertions = [ { assertion = ! cfg.checkReversePath || kernelHasRPFilter;
|
||||
message = "This kernel does not support rpfilter"; } ];
|
||||
|
||||
jobs.firewall =
|
||||
{ startOn = "started network-interfaces";
|
||||
|
||||
@ -233,6 +257,12 @@ in
|
||||
# The "nixos-fw" chain does the actual work.
|
||||
ip46tables -N nixos-fw
|
||||
|
||||
# Perform a reverse-path test to refuse spoofers
|
||||
# For now, we just drop, as the raw table doesn't have a log-refuse yet
|
||||
${optionalString (kernelHasRPFilter && cfg.checkReversePath) ''
|
||||
ip46tables -A PREROUTING -t raw -m rpfilter --invert -j DROP
|
||||
''}
|
||||
|
||||
# Accept all traffic on the trusted interfaces.
|
||||
${flip concatMapStrings cfg.trustedInterfaces (iface: ''
|
||||
ip46tables -A nixos-fw -i ${iface} -j nixos-fw-accept
|
||||
|
Loading…
Reference in New Issue
Block a user