nixpkgs/modules/services/networking/firewall.nix

{pkgs, config, ...}:

let

  iptables = "${pkgs.iptables}/sbin/iptables";

in

{

  ###### interface

  options = {
  
    networking.firewall.enable = pkgs.lib.mkOption {
      default = false;
      description =
        ''
          Whether to enable the firewall.
        '';
    };
  
    networking.firewall.allowedTCPPorts = pkgs.lib.mkOption {
      default = [];
      example = [22 80];
      type = pkgs.lib.types.list pkgs.lib.types.int;
      description =
        ''
          List of TCP ports on which incoming connections are
          accepted.
        '';
    };
  
  };


  ###### implementation

  # !!! Maybe if `enable' is false, the firewall should still be built
  # but not started by default.  However, currently nixos-rebuild
  # doesn't deal with such Upstart jobs properly (it starts them if
  # they are changed, regardless of whether the start condition
  # holds).
  config = pkgs.lib.mkIf config.networking.firewall.enable {

    environment.systemPackages = [pkgs.iptables];

    jobs = pkgs.lib.singleton
      { name = "firewall";

        startOn = "network-interfaces/started";

        preStart =
          ''
            ${iptables} -F

            # Accept all traffic on the loopback interface.
            ${iptables} -A INPUT -i lo -j ACCEPT

            # Accept packets from established or related connections.
            ${iptables} -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

            # Accept connections to the allowed TCP ports.            
            ${pkgs.lib.concatMapStrings (port:
                ''
                  ${iptables} -A INPUT -p tcp --dport ${toString port} -j ACCEPT
                ''
              ) config.networking.firewall.allowedTCPPorts
            }

            # Accept multicast.  Not a big security risk since
            # probably nobody is listening anyway.
            ${iptables} -A INPUT -d 224.0.0.0/4 -j ACCEPT

            # Drop everything else.
            ${iptables} -A INPUT -j LOG --log-level info --log-prefix "firewall: "
            ${iptables} -A INPUT -j DROP
          '';

        postStop =
          ''
            ${iptables} -F
          '';     
      };

  };

}
* A very basic firewall that rejects all incoming connections except for the ports defined in networking.firewall.allowedTCPPorts. svn path=/nixos/branches/modular-nixos/; revision=16460 2009-07-25 01:12:52 +02:00			`{pkgs, config, ...}:`

			`let`

			`iptables = "${pkgs.iptables}/sbin/iptables";`

			`in`

			`{`

			`###### interface`

			`options = {`

* Add an option to enable the firewall. It should eventually be enabled by default. svn path=/nixos/branches/modular-nixos/; revision=16464 2009-07-26 23:27:35 +02:00			`networking.firewall.enable = pkgs.lib.mkOption {`
			`default = false;`
			`description =`
			`''`
			`Whether to enable the firewall.`
			`'';`
			`};`

* A very basic firewall that rejects all incoming connections except for the ports defined in networking.firewall.allowedTCPPorts. svn path=/nixos/branches/modular-nixos/; revision=16460 2009-07-25 01:12:52 +02:00			`networking.firewall.allowedTCPPorts = pkgs.lib.mkOption {`
			`default = [];`
			`example = [22 80];`
			`type = pkgs.lib.types.list pkgs.lib.types.int;`
			`description =`
			`''`
			`List of TCP ports on which incoming connections are`
			`accepted.`
			`'';`
			`};`

			`};`


			`###### implementation`
* Add an option to enable the firewall. It should eventually be enabled by default. svn path=/nixos/branches/modular-nixos/; revision=16464 2009-07-26 23:27:35 +02:00
			# !!! Maybe if `enable' is false, the firewall should still be built
			`# but not started by default. However, currently nixos-rebuild`
			`# doesn't deal with such Upstart jobs properly (it starts them if`
			`# they are changed, regardless of whether the start condition`
			`# holds).`
			`config = pkgs.lib.mkIf config.networking.firewall.enable {`
* A very basic firewall that rejects all incoming connections except for the ports defined in networking.firewall.allowedTCPPorts. svn path=/nixos/branches/modular-nixos/; revision=16460 2009-07-25 01:12:52 +02:00
			`environment.systemPackages = [pkgs.iptables];`

			`jobs = pkgs.lib.singleton`
			`{ name = "firewall";`

* Add an option to enable the firewall. It should eventually be enabled by default. svn path=/nixos/branches/modular-nixos/; revision=16464 2009-07-26 23:27:35 +02:00			`startOn = "network-interfaces/started";`

* A very basic firewall that rejects all incoming connections except for the ports defined in networking.firewall.allowedTCPPorts. svn path=/nixos/branches/modular-nixos/; revision=16460 2009-07-25 01:12:52 +02:00			`preStart =`
			`''`
			`${iptables} -F`

			`# Accept all traffic on the loopback interface.`
			`${iptables} -A INPUT -i lo -j ACCEPT`

			`# Accept packets from established or related connections.`
			`${iptables} -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT`

			`# Accept connections to the allowed TCP ports.`
			`${pkgs.lib.concatMapStrings (port:`
			`''`
			`${iptables} -A INPUT -p tcp --dport ${toString port} -j ACCEPT`
			`''`
			`) config.networking.firewall.allowedTCPPorts`
			`}`

* Added a module for the bluetooth daemon. * Refactored some other modules (dbus, hal). svn path=/nixos/trunk/; revision=16652 2009-08-10 20:25:09 +02:00			`# Accept multicast. Not a big security risk since`
			`# probably nobody is listening anyway.`
			`${iptables} -A INPUT -d 224.0.0.0/4 -j ACCEPT`

			`# Drop everything else.`
			`${iptables} -A INPUT -j LOG --log-level info --log-prefix "firewall: "`
* A very basic firewall that rejects all incoming connections except for the ports defined in networking.firewall.allowedTCPPorts. svn path=/nixos/branches/modular-nixos/; revision=16460 2009-07-25 01:12:52 +02:00			`${iptables} -A INPUT -j DROP`
			`'';`

			`postStop =`
			`''`
			`${iptables} -F`
			`'';`
			`};`

			`};`

			`}`