From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id QDrsDPcxxWCsCAEAgWs5BA (envelope-from ) for ; Sun, 13 Jun 2021 00:15:19 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id CLX+B/cxxWAiVwAAbx9fmQ (envelope-from ) for ; Sat, 12 Jun 2021 22:15:19 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 99C31B663 for ; Sun, 13 Jun 2021 00:15:18 +0200 (CEST) Received: from localhost ([::1]:47340 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lsBuP-0003Hx-EA for larch@yhetil.org; Sat, 12 Jun 2021 18:15:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39262) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lsBuA-0003Gf-Ii for guix-patches@gnu.org; Sat, 12 Jun 2021 18:15:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:58998) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lsBuA-0001Hl-9t for guix-patches@gnu.org; Sat, 12 Jun 2021 18:15:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lsBu9-0001Hp-U6 for guix-patches@gnu.org; Sat, 12 Jun 2021 18:15:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#48975] New firewall service Resent-From: Solene Rapenne Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 12 Jun 2021 22:15:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48975 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Jonathan Brielmaier Cc: 48975@debbugs.gnu.org Received: via spool by 48975-submit@debbugs.gnu.org id=B48975.16235360494866 (code B ref 48975); Sat, 12 Jun 2021 22:15:01 +0000 Received: (at 48975) by debbugs.gnu.org; 12 Jun 2021 22:14:09 +0000 Received: from localhost ([127.0.0.1]:42310 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lsBtJ-0001GP-GI for submit@debbugs.gnu.org; Sat, 12 Jun 2021 18:14:09 -0400 Received: from perso.pw ([163.172.223.238]:9240) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lsBtH-0001GF-3w for 48975@debbugs.gnu.org; Sat, 12 Jun 2021 18:14:07 -0400 Received: from perso.pw (localhost [127.0.0.1]) by perso.pw (OpenSMTPD) with ESMTP id ad4f2f7f; Sun, 13 Jun 2021 00:14:03 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=perso.pw; h=date:from:to :cc:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; s=1337; bh=d8x6QHXIILzW qdmMhUeCTODnc+4=; b=OU+cDcnX/F31QumLj3MCfcJPDXuICHTaglGXOEb5NOKZ VTBDG3bRTivxzbV9sQJH6KVA+5DXFEkfJnQzGxgOvQXhge20IbVFqJ6CM+Nykj48 VTd3snUQaOz7638+3MKqIzkK0UxFW2shsjRrbbhVSU1WLILHX/Co63k1wJiFQ0c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=perso.pw; h=date:from:to:cc :subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; q=dns; s=1337; b=cw7oNQ d/QMVk+7y/Pud9Idx/q/uGocIiQ8/U9kjWbtyLCmlhEZgFbk1bPQhqFu1GHSFoFB ndfGBWDjvVm26S3iaTBqPGujPRsP1DYZnEBfPOKkq+5mR9/o3ZWrdQigCwPeUK2l wcDyDZvr0sSFTAxjVqTycoql/78U677BjPZwo= Received: from daru.lan (176-154-164-34.abo.bbox.fr [176.154.164.34]) by perso.pw (OpenSMTPD) with ESMTPSA id c01f1aca (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Sun, 13 Jun 2021 00:14:00 +0200 (CEST) Date: Sun, 13 Jun 2021 00:13:58 +0200 Message-ID: <20210613001358.3cc67453@daru.lan> In-Reply-To: <73ab1edf-5917-a01f-66b9-816c43899020@web.de> References: <20210612191959.6394494e@perso.pw> <73ab1edf-5917-a01f-66b9-816c43899020@web.de> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" Reply-to: Solene Rapenne X-ACL-Warn: , Solene Rapenne via Guix-patches From: Solene Rapenne via Guix-patches via X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1623536118; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=XNl1TQgj3feTvBZ+BiM1EUj4Cs1MEExTsa8EIoJJGaA=; b=QjyUmlazIu2jcXXOoqkXUp89NSHjizT5jiq6Pwa8urIElvU4R7JggrRoX0Tk15861o3y71 Bp807wpywBZIvoXsvdS3WR+J1feqcfZwsiLrewQ83XAMFr7nJdCC9GG32iFEd9gIztLuvr /iExVVq96QJL9IQpvSaz1eHnvhTDm0mgI7KAwoQNb7LbZU9giSnjolOJWWwYCQNE0jDHUT 6sIoRcWzML748AZjoYQtiAKJpwoRTk5LNzLUJY0O65Lsd1bvnW6H4YiGvcXTDE/8wLl/10 deI4WWVMvqWhoQWYzAKM64EHR0SCzricfY9b2+E02t9NLMfkzoAbkg2DEF1koA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1623536118; a=rsa-sha256; cv=none; b=qaC59lDfaNcBAaWb78GxHGLrT7s59+eF/PmtS9l6+MuT7KjBo68P5dHOVesr6fMvBc/nZ6 cN9p5vFE4cx9fnwo5M3HSkWu2wK7+vj0y8Rb80omVlOBRLeR6txFm9JUxWo3Le/MI0jrQC wsn5aAKbFuM+Xri3elan/bzzkxCh09AKHlDZaRLsTtKKB7bvqzXjA41f+lt7BfwP8iRXTN ZkeUXUpSVpGNOewScXePeO/NN+s70uMl6fLAhURaNnU3EwmaOnC1QsDORGnxLEUIIEyMdh oreF1AdOo4v+9EcefHalH2uTBiP9vmVJ/l3aCgxkizYYpKV8ehPmQPL5TY+Itg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=perso.pw header.s=1337 header.b=OU+cDcnX; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -1.43 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=perso.pw header.s=1337 header.b=OU+cDcnX; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 99C31B663 X-Spam-Score: -1.43 X-Migadu-Scanner: scn0.migadu.com X-TUID: /T6m78ctPJaR On Sat, 12 Jun 2021 21:59:53 +0200 Jonathan Brielmaier : > On 12.06.21 19:19, Solene Rapenne via Guix-patches via wrote: > > Hello, > > > > I wrote a new firewall service, I already wrote an email to guix-devel > > about it and I've been suggested to submit it here. > > > > The idea is to propose an easy way to manage your firewall. On a > > personal computer or a server with no fancy network, you certainly want > > to block access from the outside to all the ports except a few ones. =20 >=20 > Hi Solene, >=20 > that is a really good idea. So I could get rid of my growing lines of > plain iptables in my Guix config :) >=20 > > The configuration looks like this, currently it only supports TCP and > > UDP ports. Maybe NAT could be added later or other feature, I'm opened > > to suggestions. > > > > (service firewall-service-type > > (firewall-configuration > > (udp '(53)) > > (tcp '(22 70 1965)))) =20 >=20 > I think we could improve the syntax as to be honest I'm unsure if the > listed ports are the open or the closed ones. >=20 > Maybe we could call this service simple-firewall-service-type or > something along this. hello, thanks a lot for your feedback. I have no argument for a rename, as long as it's understandable. As it's simple, I like simple-firewall. Do you think this would be easier to understand by adding "open" to the names? (service simple-firewall-service-type (simple-firewall-configuration (open-udp '(53)) (open-tcp '(22 ...)))) I think we must decided if ICMP is allowed by default or not and the syntax to enable/disable it. Maybe this? I would disable it by default. (allow-icmp? #t) If you stop simple-firewall with the current code, it will block every inbound ports, I'm not sure if it's the correct way to proceed, I sup= pose it should flush absolutely everything. To match most simple use case, a simple NAT and port redirection could be done too. ;; do NAT on eth0 and set the according sysctl (nat-on "eth0") ;; redirect incoming connections on ports 22 and 8080 to another box (redirect '((22 "192.168.1.50:22") (8080 "192.168.1.50:80")) =20 > > > > Here is the code, I took bits from iptables as a base and then used the > > Tor service way to generate the configuration file. > > > > diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm > > index 87b3d754a3..d311f95448 100644 > > --- a/gnu/services/networking.scm > > +++ b/gnu/services/networking.scm =20 >=20 > You should add a copyright line for yourself at the top of the file. >=20 I've been told it's not mandatory. I have no issue adding it though. I found a ^L character at many paces in networking.scm, I don't know if its appearance is legit or not. I think it's a garbage character that got copy/pasted over and over. I copied it just in case. > > > > +=0C > > +;;; > > +;;; Firewall > > +;;; > > +