From: Jonathan Brielmaier <jonathan.brielmaier@web.de>
To: Solene Rapenne <solene@perso.pw>, 48975@debbugs.gnu.org
Subject: [bug#48975] New firewall service
Date: Sat, 12 Jun 2021 21:59:53 +0200 [thread overview]
Message-ID: <73ab1edf-5917-a01f-66b9-816c43899020@web.de> (raw)
In-Reply-To: <20210612191959.6394494e@perso.pw>
On 12.06.21 19:19, Solene Rapenne via Guix-patches via wrote:
> Hello,
>
> I wrote a new firewall service, I already wrote an email to guix-devel
> about it and I've been suggested to submit it here.
>
> The idea is to propose an easy way to manage your firewall. On a
> personal computer or a server with no fancy network, you certainly want
> to block access from the outside to all the ports except a few ones.
Hi Solene,
that is a really good idea. So I could get rid of my growing lines of
plain iptables in my Guix config :)
> The configuration looks like this, currently it only supports TCP and
> UDP ports. Maybe NAT could be added later or other feature, I'm opened
> to suggestions.
>
> (service firewall-service-type
> (firewall-configuration
> (udp '(53))
> (tcp '(22 70 1965))))
I think we could improve the syntax as to be honest I'm unsure if the
listed ports are the open or the closed ones.
Maybe we could call this service simple-firewall-service-type or
something along this.
>
> Here is the code, I took bits from iptables as a base and then used the
> Tor service way to generate the configuration file.
>
> diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
> index 87b3d754a3..d311f95448 100644
> --- a/gnu/services/networking.scm
> +++ b/gnu/services/networking.scm
You should add a copyright line for yourself at the top of the file.
> @@ -221,7 +221,11 @@
>
> keepalived-configuration
> keepalived-configuration?
> - keepalived-service-type))
> + keepalived-service-type
> +
> + firewall-service-type
> + firewall-configuration
> + firewall-configuration?))
>
> ;;; Commentary:
> ;;;
> @@ -2190,4 +2194,76 @@ of the IPFS peer-to-peer storage network.")))
> "Run @uref{https://www.keepalived.org/, Keepalived}
> routing software.")))
>
> +\f
> +;;;
> +;;; Firewall
> +;;;
> +
> +(define-record-type* <firewall-configuration>
> + firewall-configuration make-firewall-configuration
> + firewall-configuration?
> + (tcp firewall-configuration-tcp
> + (default '()))
> + (udp firewall-configuration-udp
> + (default '())))
> +
> +(define (firewall-configuration->file tcp udp)
> + "Return the iptables rules from the ports list"
> + (computed-file
> + "firewall-generated-rules"
> + (with-imported-modules '((guix build utils))
> + #~(begin
> + (use-modules (guix build utils)
> + (ice-9 match))
> + (call-with-output-file #$output
> + (lambda (out)
> + (display "\
> +*filter
> +:INPUT DROP
> +:FORWARD DROP
> +:OUTPUT ACCEPT
> +-A INPUT -i lo -j ACCEPT
> +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n" out)
> +
> + ;; tcp rules
> + (when (not (null? (list #$@tcp)))
> + (format out "\
> +~{-A INPUT -p tcp --dport ~a -j ACCEPT~%~}"
> + (list #$@tcp)))
> +
> + ;; udp rules
> + (when (not (null? (list #$@udp)))
> + (format out "\
> +~{-A INPUT -p udp --dport ~a -j ACCEPT~%~}"
> + (list #$@udp)))
> +
> + (display "COMMIT\n" out)
> + #t))))))
I'm not an iptables expert but does this config block/open IPv4 as well
as IPv6?
> +(define firewall-shepherd-service
> + (match-lambda
> + (($ <firewall-configuration> tcp udp)
> + (let* ((iptables-restore (file-append iptables "/sbin/iptables-restore"))
> + (ip6tables-restore (file-append iptables "/sbin/ip6tables-restore"))
> + (ruleset (firewall-configuration->file tcp udp)))
> + (shepherd-service
> + (documentation "Easy firewall management")
> + (provision '(firewall))
> + (start #~(lambda _
> + (invoke #$iptables-restore #$ruleset)
> + (invoke #$ip6tables-restore #$ruleset)))
> + (stop #~(lambda _
> + (invoke #$iptables-restore #$ruleset)
> + (invoke #$ip6tables-restore #$ruleset))))))))
> +
> +(define firewall-service-type
> + (service-type
> + (name 'firewall)
> + (description
> + "Run @command{iptables-restore}, setting up the specified rules.")
> + (extensions
> + (list (service-extension shepherd-root-service-type
> + (compose list firewall-shepherd-service))))))
> +
> +
> ;;; networking.scm ends here
>
>
>
next prev parent reply other threads:[~2021-06-12 20:01 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-12 17:19 [bug#48975] New firewall service Solene Rapenne via Guix-patches via
2021-06-12 19:59 ` Jonathan Brielmaier [this message]
2021-06-12 22:13 ` Solene Rapenne via Guix-patches via
2021-06-13 9:29 ` Arun Isaac
2022-11-04 7:25 ` [bug#48975] [PATCH] gnu: simple-firewall-service: Add a simple service wrapping iptables antlers
2022-11-06 20:39 ` antlers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=73ab1edf-5917-a01f-66b9-816c43899020@web.de \
--to=jonathan.brielmaier@web.de \
--cc=48975@debbugs.gnu.org \
--cc=solene@perso.pw \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).