From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id p7dAGoUSxWArxwAAgWs5BA (envelope-from ) for ; Sat, 12 Jun 2021 22:01:09 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id iP1VFYUSxWBLCQAAB5/wlQ (envelope-from ) for ; Sat, 12 Jun 2021 20:01:09 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A964EA386 for ; Sat, 12 Jun 2021 22:01:08 +0200 (CEST) Received: from localhost ([::1]:39564 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ls9oZ-0005nO-Mt for larch@yhetil.org; Sat, 12 Jun 2021 16:01:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:54028) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ls9oU-0005mh-2l for guix-patches@gnu.org; Sat, 12 Jun 2021 16:01:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:58753) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ls9oT-00075w-Km for guix-patches@gnu.org; Sat, 12 Jun 2021 16:01:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ls9oT-0006EM-KY for guix-patches@gnu.org; Sat, 12 Jun 2021 16:01:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#48975] New firewall service Resent-From: Jonathan Brielmaier Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 12 Jun 2021 20:01:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48975 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Solene Rapenne , 48975@debbugs.gnu.org Received: via spool by 48975-submit@debbugs.gnu.org id=B48975.162352800323806 (code B ref 48975); Sat, 12 Jun 2021 20:01:01 +0000 Received: (at 48975) by debbugs.gnu.org; 12 Jun 2021 20:00:03 +0000 Received: from localhost ([127.0.0.1]:42066 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ls9nW-0006BY-4l for submit@debbugs.gnu.org; Sat, 12 Jun 2021 16:00:03 -0400 Received: from mout.web.de ([212.227.15.14]:41075) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ls9nT-0006Av-UY for 48975@debbugs.gnu.org; Sat, 12 Jun 2021 16:00:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1623527993; bh=1M1mFVxamH/B0FN+Mp1Z61IhNkkjUXonVsH4zdMM2eo=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=Y4I7IoG7b+XxdeR3nx+PoK/AGMJmX3Pb3wCBytddZQLN4hWLKNM8RoFJFMGfFkroc XMzxJ9/1sD2N6R5hM6Jgmq6rEBvsUfTx3c2gufP8ujv3ZkV2TKf9jGtn5s9t0C8xnY sCxMxuo2y6LsbM2oY3pr+SxQcC/O3V92QfGMaHlw= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from [192.168.178.113] ([88.152.185.61]) by smtp.web.de (mrweb003 [213.165.67.108]) with ESMTPSA (Nemesis) id 0MHp7t-1lszo42X6b-003g5b; Sat, 12 Jun 2021 21:59:53 +0200 References: <20210612191959.6394494e@perso.pw> From: Jonathan Brielmaier Message-ID: <73ab1edf-5917-a01f-66b9-816c43899020@web.de> Date: Sat, 12 Jun 2021 21:59:53 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Icedove/78.11.0 MIME-Version: 1.0 In-Reply-To: <20210612191959.6394494e@perso.pw> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: de-DE Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:nmMN95QP0W1fqiaj5+z4PzTek4+6QyVv121+ueBZfTD/0c6z/Hg zQ1GLOwYrYB3Sjzo4FcYHvSll5hsBc9AkYdlBcCxbuX8EuFJeBx7AX1rwdcIVDPc2z2ujzd PswN5YryLaix6pNB9yZ3zmTBmowQmRdjEzAPGymrAdlXm0alNVK1rMXjZK/hDnuPK4PEdw5 ut1O2I1xIVSMxe4x+yNyw== X-UI-Out-Filterresults: notjunk:1;V03:K0:p+LBEOeK1SE=:H6ktk0OERDoqw4rEiuTgre sACLDe5fWi29OjqKGBSsf+KolQZQucWE5FUvBje/KAsoZo0a/pfV0Lj/SsLiPyOzeyn4QOReb 1TFJrpYdUZPcjxjwHlxHN9e04ayZwNOobnuWFWcUy1P6wnQUuW31N9HY5i+N+Eo3zcHVMXnYw 2BnvWAPsHGj+jDC+0B7h8X0QEp28Dl0Sa/yYBfaCs/Avl618X+PSkWBYZGy5iJVQxUeYRTcwL gj7yElP2ZeYRQg6cju0w9eRiESpmhlnVNNC8jtmm4jDVaPYa+txD3eDuaPA/VRBMhMHfDAIQv nFyufaKDGV/i2RPxmAQ8ANOS0zRZQYnH62VeC0UH97L//hD9jCgHOTRBUy6kjr9GSNY3d6Ux4 DtyQo3SurosyKLWeNCygBNjmG9PjD5l47XU/yepw1HjDPd6VstBi/HXuUgCMXsIMLsytdw16d h8ojv8SoxEKMpjw/Tlaa93/qQEhrPH/HZK1oyMD05h+GE1gFU0/f6LCnN/lRnSqQFmsFTp5H2 UbzvhJ7rLc/T/HZuqR8VGkyc9/poKxisgwe1yqneOrJVY/Yzcecq6IcBaSMycERC2zVMoPzVR UTGtwI1TxK7M73Kz8qVh/N8IqTMfmzgnoM6I02UWJf6ZRSP1jLAPZ/lvJoU8ZmfAIkFMUF65U 7TOnbzJBOyUVXVZkF71CgcHwNvi5rjDwyh9TtA5IsJuyj4ApoJycCmAPIYO3Za3Y5Ptg5PR9o NfKi1M4+ZpZxguQzmuuo2X8oC/tM+KQb+WxO5NbpvyPoqMg8UirLYqJaKTbIlOxG6mHgxlmzV /+p6ADbTW3Nvg7dtPR/aF/n2/oisGKTKyvWf83yV4xjhL+Vl9w8IGrcE9MZz1TYW5DhHaAB0q e+Rgd1cK99JDXq7X3PCBjsS/j3x4L2fOTUz0O4ieHqptdyrveeYgutTJF7zOclaFy61eXm6Xf Stb6bCwwixnU1Hgew7KWR9o7A5znrBNaVcMP35g29vEK2QJf7VTiHX9NUnVmAdewnhjyiJjMV 0Ln2VNukKdDDoePTX5oJG4zC6k7Gud375IR1mzk2BV8cdQtxIzvCs1GDjo9/PFWMVkfVd/IWz LVwjva4klc52f2iPXE2LvmuNACOGyZeqXcFxFmDRk2d3WCGs1AKIQdttQ== X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1623528068; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=aHRlJ4zsI9ObTyBqf/3ESb53HEIHIl2lizoHydba4Fs=; b=sG2DnyZKvdyULkpgjitDmSYcJc3EvAVpnPYKBwPM7U0pixZF58J5aTG8BHSLHXyMl6fctI 6HXUpJXnGwFQQ7dRbzkJYuYlre6TP6TJHHFCyUOu+RbaS7d6PEgntN8DXN6lNrQoojpQh4 Xbpb28YVh5EsDg5pQkh4XGkkyNMuSE6ojcAJb8oWeMekepYmSMidlvptk6yCo7+Vy/CVBz A1KyH0q3QaFKUcA7LWtuja4GcBy6Tr4WpUTgIOLmDMyAxScw+0unzVlahUlMUNh/Cej+sy gQ3Nd4MxalUwOg34mkfhRJyMfnu+yPtbLN30XmkqGBOvDmadNATMgIf1eJl9Wg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1623528068; a=rsa-sha256; cv=none; b=Mu75C1BTmUnfouzQVyJhnXm+gq2pM2G+qs9psKPyQRpcZV3Ul957StOj0hGkFYMeBURby8 KfrDlz4GqVIput/1eiByqPctckQ8MgrHepML+JcYiQS/jUgR8Uiwd/rGGoBc9bp53l3S4D j+8XJu9OvLidoDpxHPmWN0rkdftMqsKFNFtHglNhzp1tst/KEln1pj3bWaCT2Ftk/BFYiX E+gfkloTgTjjsfoNRlPY+VN1eMfA/H1+dD/8becsxfmc6CIparzBcaNM3CWoL+S3XF7Hku EPCJCHuolqmmW4LoJB/IYxhDljmp7eI7Xy7uJwB21KGauAM+UtZQjYRAX4lh8A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=web.de header.s=dbaedf251592 header.b=Y4I7IoG7; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -1.33 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=web.de header.s=dbaedf251592 header.b=Y4I7IoG7; dmarc=fail reason="SPF not aligned (relaxed)" header.from=web.de (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: A964EA386 X-Spam-Score: -1.33 X-Migadu-Scanner: scn0.migadu.com X-TUID: tz9Lp+xf6QDk On 12.06.21 19:19, Solene Rapenne via Guix-patches via wrote: > Hello, > > I wrote a new firewall service, I already wrote an email to guix-devel > about it and I've been suggested to submit it here. > > The idea is to propose an easy way to manage your firewall. On a > personal computer or a server with no fancy network, you certainly want > to block access from the outside to all the ports except a few ones. Hi Solene, that is a really good idea. So I could get rid of my growing lines of plain iptables in my Guix config :) > The configuration looks like this, currently it only supports TCP and > UDP ports. Maybe NAT could be added later or other feature, I'm opened > to suggestions. > > (service firewall-service-type > (firewall-configuration > (udp '(53)) > (tcp '(22 70 1965)))) I think we could improve the syntax as to be honest I'm unsure if the listed ports are the open or the closed ones. Maybe we could call this service simple-firewall-service-type or something along this. > > Here is the code, I took bits from iptables as a base and then used the > Tor service way to generate the configuration file. > > diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm > index 87b3d754a3..d311f95448 100644 > --- a/gnu/services/networking.scm > +++ b/gnu/services/networking.scm You should add a copyright line for yourself at the top of the file. > @@ -221,7 +221,11 @@ > > keepalived-configuration > keepalived-configuration? > - keepalived-service-type)) > + keepalived-service-type > + > + firewall-service-type > + firewall-configuration > + firewall-configuration?)) > > ;;; Commentary: > ;;; > @@ -2190,4 +2194,76 @@ of the IPFS peer-to-peer storage network."))) > "Run @uref{https://www.keepalived.org/, Keepalived} > routing software."))) > > +=0C > +;;; > +;;; Firewall > +;;; > + > +(define-record-type* > + firewall-configuration make-firewall-configuration > + firewall-configuration? > + (tcp firewall-configuration-tcp > + (default '())) > + (udp firewall-configuration-udp > + (default '()))) > + > +(define (firewall-configuration->file tcp udp) > + "Return the iptables rules from the ports list" > + (computed-file > + "firewall-generated-rules" > + (with-imported-modules '((guix build utils)) > + #~(begin > + (use-modules (guix build utils) > + (ice-9 match)) > + (call-with-output-file #$output > + (lambda (out) > + (display "\ > +*filter > +:INPUT DROP > +:FORWARD DROP > +:OUTPUT ACCEPT > +-A INPUT -i lo -j ACCEPT > +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n" out) > + > + ;; tcp rules > + (when (not (null? (list #$@tcp))) > + (format out "\ > +~{-A INPUT -p tcp --dport ~a -j ACCEPT~%~}" > + (list #$@tcp))) > + > + ;; udp rules > + (when (not (null? (list #$@udp))) > + (format out "\ > +~{-A INPUT -p udp --dport ~a -j ACCEPT~%~}" > + (list #$@udp))) > + > + (display "COMMIT\n" out) > + #t)))))) I'm not an iptables expert but does this config block/open IPv4 as well as IPv6? > +(define firewall-shepherd-service > + (match-lambda > + (($ tcp udp) > + (let* ((iptables-restore (file-append iptables "/sbin/iptables-res= tore")) > + (ip6tables-restore (file-append iptables "/sbin/ip6tables-r= estore")) > + (ruleset (firewall-configuration->file tcp udp))) > + (shepherd-service > + (documentation "Easy firewall management") > + (provision '(firewall)) > + (start #~(lambda _ > + (invoke #$iptables-restore #$ruleset) > + (invoke #$ip6tables-restore #$ruleset))) > + (stop #~(lambda _ > + (invoke #$iptables-restore #$ruleset) > + (invoke #$ip6tables-restore #$ruleset)))))))) > + > +(define firewall-service-type > + (service-type > + (name 'firewall) > + (description > + "Run @command{iptables-restore}, setting up the specified rules.") > + (extensions > + (list (service-extension shepherd-root-service-type > + (compose list firewall-shepherd-service)))= ))) > + > + > ;;; networking.scm ends here > > >