From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:45303) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fxBlR-00019B-UI for guix-patches@gnu.org; Tue, 04 Sep 2018 09:53:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fxBlO-0001oq-DL for guix-patches@gnu.org; Tue, 04 Sep 2018 09:53:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:40177) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fxBlO-0001od-7P for guix-patches@gnu.org; Tue, 04 Sep 2018 09:53:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fxBlO-0007Q8-5Z for guix-patches@gnu.org; Tue, 04 Sep 2018 09:53:02 -0400 Subject: [bug#32465] Add iptables service Resent-Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Tue, 04 Sep 2018 15:52:38 +0200 From: Julien Lepiller In-Reply-To: <87lg8hbe0c.fsf@gnu.org> References: <87lg8hbe0c.fsf@gnu.org> Message-ID: <0dd58c95062371f585a17899387bfdeb@lepiller.eu> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 32465@debbugs.gnu.org Hi, it's not directly an answer to arun's patch (it is great), but I recently came accross firemason (http://www.cs.yale.edu/homes/zhai-ennan/firemason.pdf and https://github.com/BillHallahan/FireMason) and I thought we could implement something similar. Basically, we declare a list of rules in the iptables service, and we let other services extend that. A rule would be a specification, independent of the order in which they are specified. "Any packet that matches this rule must be rejected". Of course, this means that we may have conflicting specifications, for instance "any packet from this ip must be dropped" and "any packet entering on this port must be accepted" are in conflict for packets entering on this port from this ip address. All we need is a mechanism to explicit these cases (when a packet may be dropped or accepted at the same time), such as "repair: packets from this ip on this port must be dropped", so the service will effectively see these rules: "any packet from this ip must be dropped" and "any packet entering on this port but not this ip must be accepted", then translated to: -A INPUT -s ! -p tcp --dport -j ACCEPT -A INPUT -s ACCEPT (see how they are independent from the order in which they are declared?) The hard part is to detect a conflict between two rules and give hints to the user as to how to fix that. Of course, we should provide a mechanism to load files as a fallback, in which case additional rules from services should be ignored. What do you think? PS: Arun, in your patch for the manual you say: "This is the service type to set up an iptables coniguration". This should be "configuration".