From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id SA1EL58SwWBH8gAAgWs5BA (envelope-from ) for ; Wed, 09 Jun 2021 21:12:31 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id kLXBKp8SwWBqIAAA1q6Kng (envelope-from ) for ; Wed, 09 Jun 2021 19:12:31 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 5380B139BD for ; Wed, 9 Jun 2021 21:12:31 +0200 (CEST) Received: from localhost ([::1]:35864 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lr3cs-0008W1-A9 for larch@yhetil.org; Wed, 09 Jun 2021 15:12:30 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39470) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lr3ci-0008UK-DY for guix-devel@gnu.org; Wed, 09 Jun 2021 15:12:20 -0400 Received: from perso.pw ([163.172.223.238]:31325) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lr3cf-00011f-PI for guix-devel@gnu.org; Wed, 09 Jun 2021 15:12:20 -0400 Received: from perso.pw (localhost [127.0.0.1]) by perso.pw (OpenSMTPD) with ESMTP id 73ea13ce for ; Wed, 9 Jun 2021 21:12:09 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=perso.pw; h=date:from:to :subject:message-id:mime-version:content-type :content-transfer-encoding; s=1337; bh=R7R75Epj0/glOSiaoCTtbuOd2 t4=; b=XPBrJjQu223WuYptLUPAevzMouq3nOe06oJEpq6EI8V8NTzSG9ukQYw28 GAV/tFTMKNc0YMu4a/IVzu44C6p0hNhMSyG5tQKboNUL3SN330IVvVS4izqUvjnl 8MeVcDAgWWL5vBJ0kiFayOgqrW/uj3ZF9tvynKpu9VTxeUcPdc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=perso.pw; h=date:from:to :subject:message-id:mime-version:content-type :content-transfer-encoding; q=dns; s=1337; b=jvKDxCYavjqSZVuSVth AHzCrKPtX4jKXd05TUOTvV83kSnABhwG1AY6qXSp4N9WBirtFvGQFKYSCScBDr9h DOJqNfp01Qe02reWXdChXoCyA6OaoniNl0ukAsJuMzZ8d2ksBotO4x4i3HL6hdjA 6QPtvYhjpN/C88p7ODL0nnkU= Received: from localhost (176-154-164-34.abo.bbox.fr [176.154.164.34]) by perso.pw (OpenSMTPD) with ESMTPSA id 7eeabfa4 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) for ; Wed, 9 Jun 2021 21:12:06 +0200 (CEST) Date: Wed, 9 Jun 2021 21:11:59 +0200 From: Solene Rapenne To: guix-devel@gnu.org Subject: Feedback on a new simple firewall service Message-ID: <20210609211159.0f31f134@perso.pw> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=163.172.223.238; envelope-from=solene@perso.pw; helo=perso.pw X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1623265951; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=h8lmm8D4JqbgXm7FVAH/nafRsFhuIG0Bl8a9ddGAlVc=; b=RBaoHr4jModEfnF+clPZMRhk7oLzf0W2ZhYVzyrmEzmtJrDrWBNGIiM7V6BEkP5y7QKBSU Qsda9uXECQrsx6EcHimi8RTbp2yy2NejmWlZOQikUSK6KhfCO0/BHXiqN7jGXAz4rqC63J XKKyWtB39h8mrXTbKmlDNKfEkXbLzCuMNCGWB7A3iHwIDhRJG7nVXh/Idodud2ANXTIefy Qb4hm2uzxPZOpusSjTutgQOJ4w4OwPWryYy4/PFmU3Qpwqv42aaznTF4EewxfMblYKXiU3 tREvySrRT2vqrkSbPUq2T8y7dNYyRVfk3ST2Bq5ZRLpd1ftScAuyugdD8o3ddw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1623265951; a=rsa-sha256; cv=none; b=pleJCpaJr76lphZbj8+4AmihitWpVYlyeJSenw7BnpXpqU0valVYfNjei8dnrUfrYUJ8rg JveVkyJFfg2Q2sA5nkJ/489CA9mcSTTwelFC67kyoJQlrpV2FtF2L+Mmq3c78rxXfQbKKi 3vNbxAajFQ7RNRvfVURcveguefTvWtHjmU69ruYmy/VQiTwEFfMSF0vjN54IPRRt4bvuOm /X4J9RIjteUvaWo4TpuUuffJs45Lfleo+S54z3WRbjDb093cPY3mB/D5svLlK3ss9Vspv+ 1kx+MI1XsQARLJWvd7gMfbGYgKIaQHLDjcGyMGVOyD433bPXEfewucXFBa/SBw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=perso.pw header.s=1337 header.b=XPBrJjQu; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.13 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=perso.pw header.s=1337 header.b=XPBrJjQu; dmarc=pass (policy=reject) header.from=perso.pw; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 5380B139BD X-Spam-Score: -3.13 X-Migadu-Scanner: scn0.migadu.com X-TUID: iHavKaJ4n7D6 Hello, I'm looking for advices and feedback. I wrote a simple service (reusing the iptables service as a start) that I called "firewall", the purpose is to block all incoming ports and list the ports you want to allow. The point is to allow users to easily manage their firewall without knowing about to use iptables. Most of the time opening a few ports and blocking everything is enough. However, while this works in its current state, I'm not satisfied of my code and the way it works. - it's not compatible with iptables and not extendable, should I merge this into the iptables service? - I'm defining the configuration file in a long string with map calls and conditions, it looks very ugly. I didn't write much Scheme in my life and I struggled a bit to get the pieces to form the string, this is noticeable in the result - what should happend when you stop the service? I'm currently using a default rules set that keep incoming traffic blocked on every ports but this may not be desirable. Exemple of configuration: (service firewall-service-type (firewall-configuration (udp '(53)) (tcp '(22 70 1965)))) The according iptables -L output: --------- Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:gopher ACCEPT tcp -- anywhere anywhere tcp dpt:1965 ACCEPT udp -- anywhere anywhere udp dpt:domain Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination -------- Here is my code in its current state ;;; ;;; Firewall ;;; (define %firewall-accept-all-rules (plain-file "firewall-block-all.rules" "*filter :INPUT DROP :FORWARD DROP :OUTPUT ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT COMMIT ")) (define-record-type* firewall-configuration make-firewall-configuration firewall-configuration? (tcp firewall-configuration-tcp (default #f)) (udp firewall-configuration-udp (default #f))) (define firewall-shepherd-service (match-lambda (($ tcp udp) (let* ((iptables-restore (file-append iptables "/sbin/iptables-restore")) (ip6tables-restore (file-append iptables "/sbin/ip6tables-restore")) (custom-rules (plain-file "iptables-defined.rules" (format #f "*filter~%:INPUT DROP~%:FORWARD DROP~%:OUTPUT ACCEPT~%~a~%~a~%~a~%COMMIT~%" "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" (if tcp (string-join (map (lambda (tcp) (format #f "-A INPUT -p tcp --dport ~a -j ACCEPT" tcp)) tcp) "\n") "") (if udp (string-join (map (lambda (udp) (format #f "-A INPUT -p udp --dport ~a -j ACCEPT" udp)) udp) "\n") "")))) (ruleset (if (or udp tcp) ;; if no ports defined, use the default ruleset custom-rules %firewall-accept-all-rules))) (shepherd-service (documentation "Easy firewall management") (provision '(firewall)) (start #~(lambda _ (invoke #$iptables-restore #$ruleset) (invoke #$ip6tables-restore #$ruleset))) (stop #~(lambda _ (invoke #$iptables-restore #$%firewall-accept-all-rules) (invoke #$ip6tables-restore #$%firewall-accept-all-rules)))))))) (define firewall-service-type (service-type (name 'firewall) (description "Run @command{iptables-restore}, setting up the specified rules.") (extensions (list (service-extension shepherd-root-service-type (compose list firewall-shepherd-service))))))