* [bug#48975] New firewall service @ 2021-06-12 17:19 Solene Rapenne via Guix-patches via 2021-06-12 19:59 ` Jonathan Brielmaier ` (2 more replies) 0 siblings, 3 replies; 6+ messages in thread From: Solene Rapenne via Guix-patches via @ 2021-06-12 17:19 UTC (permalink / raw) To: 48975 Hello, I wrote a new firewall service, I already wrote an email to guix-devel about it and I've been suggested to submit it here. The idea is to propose an easy way to manage your firewall. On a personal computer or a server with no fancy network, you certainly want to block access from the outside to all the ports except a few ones. The configuration looks like this, currently it only supports TCP and UDP ports. Maybe NAT could be added later or other feature, I'm opened to suggestions. (service firewall-service-type (firewall-configuration (udp '(53)) (tcp '(22 70 1965)))) Here is the code, I took bits from iptables as a base and then used the Tor service way to generate the configuration file. diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 87b3d754a3..d311f95448 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -221,7 +221,11 @@ keepalived-configuration keepalived-configuration? - keepalived-service-type)) + keepalived-service-type + + firewall-service-type + firewall-configuration + firewall-configuration?)) ;;; Commentary: ;;; @@ -2190,4 +2194,76 @@ of the IPFS peer-to-peer storage network."))) "Run @uref{https://www.keepalived.org/, Keepalived} routing software."))) +\f +;;; +;;; Firewall +;;; + +(define-record-type* <firewall-configuration> + firewall-configuration make-firewall-configuration + firewall-configuration? + (tcp firewall-configuration-tcp + (default '())) + (udp firewall-configuration-udp + (default '()))) + +(define (firewall-configuration->file tcp udp) + "Return the iptables rules from the ports list" + (computed-file + "firewall-generated-rules" + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils) + (ice-9 match)) + (call-with-output-file #$output + (lambda (out) + (display "\ +*filter +:INPUT DROP +:FORWARD DROP +:OUTPUT ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n" out) + + ;; tcp rules + (when (not (null? (list #$@tcp))) + (format out "\ +~{-A INPUT -p tcp --dport ~a -j ACCEPT~%~}" + (list #$@tcp))) + + ;; udp rules + (when (not (null? (list #$@udp))) + (format out "\ +~{-A INPUT -p udp --dport ~a -j ACCEPT~%~}" + (list #$@udp))) + + (display "COMMIT\n" out) + #t)))))) + +(define firewall-shepherd-service + (match-lambda + (($ <firewall-configuration> tcp udp) + (let* ((iptables-restore (file-append iptables "/sbin/iptables-restore")) + (ip6tables-restore (file-append iptables "/sbin/ip6tables-restore")) + (ruleset (firewall-configuration->file tcp udp))) + (shepherd-service + (documentation "Easy firewall management") + (provision '(firewall)) + (start #~(lambda _ + (invoke #$iptables-restore #$ruleset) + (invoke #$ip6tables-restore #$ruleset))) + (stop #~(lambda _ + (invoke #$iptables-restore #$ruleset) + (invoke #$ip6tables-restore #$ruleset)))))))) + +(define firewall-service-type + (service-type + (name 'firewall) + (description + "Run @command{iptables-restore}, setting up the specified rules.") + (extensions + (list (service-extension shepherd-root-service-type + (compose list firewall-shepherd-service)))))) + + ;;; networking.scm ends here ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [bug#48975] New firewall service 2021-06-12 17:19 [bug#48975] New firewall service Solene Rapenne via Guix-patches via @ 2021-06-12 19:59 ` Jonathan Brielmaier 2021-06-12 22:13 ` Solene Rapenne via Guix-patches via 2021-06-13 9:29 ` Arun Isaac 2022-11-04 7:25 ` [bug#48975] [PATCH] gnu: simple-firewall-service: Add a simple service wrapping iptables antlers 2 siblings, 1 reply; 6+ messages in thread From: Jonathan Brielmaier @ 2021-06-12 19:59 UTC (permalink / raw) To: Solene Rapenne, 48975 On 12.06.21 19:19, Solene Rapenne via Guix-patches via wrote: > Hello, > > I wrote a new firewall service, I already wrote an email to guix-devel > about it and I've been suggested to submit it here. > > The idea is to propose an easy way to manage your firewall. On a > personal computer or a server with no fancy network, you certainly want > to block access from the outside to all the ports except a few ones. Hi Solene, that is a really good idea. So I could get rid of my growing lines of plain iptables in my Guix config :) > The configuration looks like this, currently it only supports TCP and > UDP ports. Maybe NAT could be added later or other feature, I'm opened > to suggestions. > > (service firewall-service-type > (firewall-configuration > (udp '(53)) > (tcp '(22 70 1965)))) I think we could improve the syntax as to be honest I'm unsure if the listed ports are the open or the closed ones. Maybe we could call this service simple-firewall-service-type or something along this. > > Here is the code, I took bits from iptables as a base and then used the > Tor service way to generate the configuration file. > > diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm > index 87b3d754a3..d311f95448 100644 > --- a/gnu/services/networking.scm > +++ b/gnu/services/networking.scm You should add a copyright line for yourself at the top of the file. > @@ -221,7 +221,11 @@ > > keepalived-configuration > keepalived-configuration? > - keepalived-service-type)) > + keepalived-service-type > + > + firewall-service-type > + firewall-configuration > + firewall-configuration?)) > > ;;; Commentary: > ;;; > @@ -2190,4 +2194,76 @@ of the IPFS peer-to-peer storage network."))) > "Run @uref{https://www.keepalived.org/, Keepalived} > routing software."))) > > +\f > +;;; > +;;; Firewall > +;;; > + > +(define-record-type* <firewall-configuration> > + firewall-configuration make-firewall-configuration > + firewall-configuration? > + (tcp firewall-configuration-tcp > + (default '())) > + (udp firewall-configuration-udp > + (default '()))) > + > +(define (firewall-configuration->file tcp udp) > + "Return the iptables rules from the ports list" > + (computed-file > + "firewall-generated-rules" > + (with-imported-modules '((guix build utils)) > + #~(begin > + (use-modules (guix build utils) > + (ice-9 match)) > + (call-with-output-file #$output > + (lambda (out) > + (display "\ > +*filter > +:INPUT DROP > +:FORWARD DROP > +:OUTPUT ACCEPT > +-A INPUT -i lo -j ACCEPT > +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n" out) > + > + ;; tcp rules > + (when (not (null? (list #$@tcp))) > + (format out "\ > +~{-A INPUT -p tcp --dport ~a -j ACCEPT~%~}" > + (list #$@tcp))) > + > + ;; udp rules > + (when (not (null? (list #$@udp))) > + (format out "\ > +~{-A INPUT -p udp --dport ~a -j ACCEPT~%~}" > + (list #$@udp))) > + > + (display "COMMIT\n" out) > + #t)))))) I'm not an iptables expert but does this config block/open IPv4 as well as IPv6? > +(define firewall-shepherd-service > + (match-lambda > + (($ <firewall-configuration> tcp udp) > + (let* ((iptables-restore (file-append iptables "/sbin/iptables-restore")) > + (ip6tables-restore (file-append iptables "/sbin/ip6tables-restore")) > + (ruleset (firewall-configuration->file tcp udp))) > + (shepherd-service > + (documentation "Easy firewall management") > + (provision '(firewall)) > + (start #~(lambda _ > + (invoke #$iptables-restore #$ruleset) > + (invoke #$ip6tables-restore #$ruleset))) > + (stop #~(lambda _ > + (invoke #$iptables-restore #$ruleset) > + (invoke #$ip6tables-restore #$ruleset)))))))) > + > +(define firewall-service-type > + (service-type > + (name 'firewall) > + (description > + "Run @command{iptables-restore}, setting up the specified rules.") > + (extensions > + (list (service-extension shepherd-root-service-type > + (compose list firewall-shepherd-service)))))) > + > + > ;;; networking.scm ends here > > > ^ permalink raw reply [flat|nested] 6+ messages in thread
* [bug#48975] New firewall service 2021-06-12 19:59 ` Jonathan Brielmaier @ 2021-06-12 22:13 ` Solene Rapenne via Guix-patches via 0 siblings, 0 replies; 6+ messages in thread From: Solene Rapenne via Guix-patches via @ 2021-06-12 22:13 UTC (permalink / raw) To: Jonathan Brielmaier; +Cc: 48975 On Sat, 12 Jun 2021 21:59:53 +0200 Jonathan Brielmaier <jonathan.brielmaier@web.de>: > On 12.06.21 19:19, Solene Rapenne via Guix-patches via wrote: > > Hello, > > > > I wrote a new firewall service, I already wrote an email to guix-devel > > about it and I've been suggested to submit it here. > > > > The idea is to propose an easy way to manage your firewall. On a > > personal computer or a server with no fancy network, you certainly want > > to block access from the outside to all the ports except a few ones. > > Hi Solene, > > that is a really good idea. So I could get rid of my growing lines of > plain iptables in my Guix config :) > > > The configuration looks like this, currently it only supports TCP and > > UDP ports. Maybe NAT could be added later or other feature, I'm opened > > to suggestions. > > > > (service firewall-service-type > > (firewall-configuration > > (udp '(53)) > > (tcp '(22 70 1965)))) > > I think we could improve the syntax as to be honest I'm unsure if the > listed ports are the open or the closed ones. > > Maybe we could call this service simple-firewall-service-type or > something along this. hello, thanks a lot for your feedback. I have no argument for a rename, as long as it's understandable. As it's simple, I like simple-firewall. Do you think this would be easier to understand by adding "open" to the names? (service simple-firewall-service-type (simple-firewall-configuration (open-udp '(53)) (open-tcp '(22 ...)))) I think we must decided if ICMP is allowed by default or not and the syntax to enable/disable it. Maybe this? I would disable it by default. (allow-icmp? #t) If you stop simple-firewall with the current code, it will block every inbound ports, I'm not sure if it's the correct way to proceed, I suppose it should flush absolutely everything. To match most simple use case, a simple NAT and port redirection could be done too. ;; do NAT on eth0 and set the according sysctl (nat-on "eth0") ;; redirect incoming connections on ports 22 and 8080 to another box (redirect '((22 "192.168.1.50:22") (8080 "192.168.1.50:80")) > > > > Here is the code, I took bits from iptables as a base and then used the > > Tor service way to generate the configuration file. > > > > diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm > > index 87b3d754a3..d311f95448 100644 > > --- a/gnu/services/networking.scm > > +++ b/gnu/services/networking.scm > > You should add a copyright line for yourself at the top of the file. > I've been told it's not mandatory. I have no issue adding it though. I found a ^L character at many paces in networking.scm, I don't know if its appearance is legit or not. I think it's a garbage character that got copy/pasted over and over. I copied it just in case. > > > > +\f > > +;;; > > +;;; Firewall > > +;;; > > + ^ permalink raw reply [flat|nested] 6+ messages in thread
* [bug#48975] New firewall service 2021-06-12 17:19 [bug#48975] New firewall service Solene Rapenne via Guix-patches via 2021-06-12 19:59 ` Jonathan Brielmaier @ 2021-06-13 9:29 ` Arun Isaac 2022-11-04 7:25 ` [bug#48975] [PATCH] gnu: simple-firewall-service: Add a simple service wrapping iptables antlers 2 siblings, 0 replies; 6+ messages in thread From: Arun Isaac @ 2021-06-13 9:29 UTC (permalink / raw) To: Solene Rapenne, 48975; +Cc: Jonathan Brielmaier [-- Attachment #1: Type: text/plain, Size: 530 bytes --] Hi Solene, Thanks for the great work! I wrote the iptables service in the hope of some day extending it to something like this, but you've beaten me to it! :-) Some feedback follows. Your implementation duplicates some of the code in the iptables service. How about making it simply /extend/ the iptables service with the generated rules? This way, you won't have to handle the start/stop iptables-restore gexps. The iptables service, when stopped, already has the correct behaviour of opening all ports. WDYT? Regards, Arun [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 524 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* [bug#48975] [PATCH] gnu: simple-firewall-service: Add a simple service wrapping iptables 2021-06-12 17:19 [bug#48975] New firewall service Solene Rapenne via Guix-patches via 2021-06-12 19:59 ` Jonathan Brielmaier 2021-06-13 9:29 ` Arun Isaac @ 2022-11-04 7:25 ` antlers 2022-11-06 20:39 ` antlers 2 siblings, 1 reply; 6+ messages in thread From: antlers @ 2022-11-04 7:25 UTC (permalink / raw) To: 48975; +Cc: antlers From: antlers <antlers@luris.net> * gnu/services/networking.scm (simple-firewall-service): Add. (iptables-service): Allow a crude sort of service extension. I tried out a keyword-based syntax: ``` (simple-firewall-configuration (allow-forwarding? #t) (allowed-ports '(#:both 51234 #:tcp 80 443 #:udp 4444)) ``` But kept the more verbose tcp and udp fields because I don't want people to have to use quasiquotes to splice in evaluated port-numbers after the keywords. I like the suggestion that there should be a field for redirecting packets, whether to loopback or another box, as it took me a while to learn about eg. masquerading last time I needed to set something like that up. Not sure what command would be equivalent to the NAT suggestion? I guess nftables has superseded iptables, but I'm not as familiar with it? Perhaps I can add it as a second back-end in the future. My primary concern right now is a pure Scheme interface for networking configuration; most notably via service inheritance! Simple-firewall now lets you open ports via extensions in other services; in order for this option to be widely available, perhaps it's the {nf,ip}tables-services that should be extensible? It's a tricky problem atm because we don't really want services that need ports depending on a specific backend, there are existing API's, they use plain-file's over structs or strings, and rule orders need to be really specific/coordinated. Idk, maybe that isn't something we really want in the first place, but it sure feels good from a configuration / organizational point-of-view. Happy to tweak this again if anyone has ideas. --- gnu/services/networking.scm | 79 ++++++++++++++++++++++++++++++++++++- 1 file changed, 77 insertions(+), 2 deletions(-) diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 19aba8c266..0866c10b34 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -18,6 +18,8 @@ ;;; Copyright © 2021 Christine Lemmer-Webber <cwebber@dustycloud.org> ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be> ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net> +;;; Copyright © 2021 Solene Rapenne +;;; Copyright © 2022 antlers <autumnalantlers@gmail.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -225,7 +227,11 @@ (define-module (gnu services networking) keepalived-configuration keepalived-configuration? - keepalived-service-type)) + keepalived-service-type + + simple-firewall-service-type + simple-firewall-configuration + simple-firewall-configuration?)) ;;; Commentary: ;;; @@ -1721,7 +1727,13 @@ (define iptables-service-type "Run @command{iptables-restore}, setting up the specified rules.") (extensions (list (service-extension shepherd-root-service-type - (compose list iptables-shepherd-service)))))) + (compose list iptables-shepherd-service)))) + ;; Some services extend iptables, but such services are mutually exclusive, + ;; and should be either extended directly or superseded entirely depending + ;; the complexity of your desired configuration. + (compose identity) + (extend (lambda (config entries) + (last entries))))) ;;; ;;; nftables @@ -2186,4 +2198,67 @@ (define keepalived-service-type "Run @uref{https://www.keepalived.org/, Keepalived} routing software."))) +\f +;;; +;;; Simple Firewall +;;; + +(define-record-type* <simple-firewall-configuration> + simple-firewall-configuration make-simple-firewall-configuration + simple-firewall-configuration? + (allow-icmp? simple-firewall-configuration-allow-icmp? + (default #f)) + (allow-forwarding? simple-firewall-configuration-allow-forwarding? + (default #f)) + + (open-tcp-ports simple-firewall-configuration-open-tcp-ports + (default '())) + (open-udp-ports simple-firewall-configuration-open-udp-ports + (default '()))) + +(define simple-firewall-configuration->iptables-rules + (match-lambda + (($ <simple-firewall-configuration> + allow-icmp? allow-forwarding? + open-tcp-ports open-udp-ports) + (string-join + `("*filter" + ":INPUT DROP" + ,(string-append ":FORWARD " (if allow-forwarding? "ACCEPT" "DROP")) + ":OUTPUT ACCEPT" + "-A INPUT -i lo -j ACCEPT" + "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" + ,@(unless allow-icmp? '("-A INPUT -p icmp -j DROP" + "-A INPUT -p icmpv6 -j DROP")) + ,@(map (cut string-append "-A INPUT -p tcp --dport " <> " -j ACCEPT") (map number->string open-tcp-ports)) + ,@(map (cut string-append "-A INPUT -p udp --dport " <> " -j ACCEPT") (map number->string open-udp-ports)) + "-A INPUT -j REJECT --reject-with icmp-port-unreachable" + "COMMIT") + "\n" 'suffix)))) + +(define (simple-firewall-configuration->iptables-configuration config) + (let ((rules (simple-firewall-configuration->iptables-rules config))) + (iptables-configuration + (ipv4-rules (plain-file "iptables.rules" rules)) + (ipv6-rules (plain-file "ip6tables.rules" rules))))) + +(define simple-firewall-service-type + (service-type + (name 'simple-firewall) + (description + "Run @command{iptables-restore}, setting up the specified rules.") + (extensions + (list (service-extension iptables-service-type + simple-firewall-configuration->iptables-configuration))) + (compose concatenate) + (extend (lambda (config entries) + (simple-firewall-configuration + (inherit config) + (open-tcp-ports + (concatenate (map simple-firewall-configuration-open-tcp-ports + (cons config entries)))) + (open-udp-ports + (concatenate (map simple-firewall-configuration-open-udp-ports + (cons config entries))))))))) + ;;; networking.scm ends here -- 2.38.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [bug#48975] [PATCH] gnu: simple-firewall-service: Add a simple service wrapping iptables 2022-11-04 7:25 ` [bug#48975] [PATCH] gnu: simple-firewall-service: Add a simple service wrapping iptables antlers @ 2022-11-06 20:39 ` antlers 0 siblings, 0 replies; 6+ messages in thread From: antlers @ 2022-11-06 20:39 UTC (permalink / raw) To: 48975 [-- Attachment #1: Type: text/plain, Size: 7021 bytes --] After googling around a bit it looks like the `filter*` and `COMMIT` commands in iptables configurations do in fact form a transactional block that would allow us to accept additional plain-files via extensions and just concatenate them, it's that's a road we want to go down On Fri, Nov 4, 2022 at 12:26 AM antlers <autumnalantlers@gmail.com> wrote: > From: antlers <antlers@luris.net> > > * gnu/services/networking.scm (simple-firewall-service): Add. > (iptables-service): Allow a crude sort of service extension. > > I tried out a keyword-based syntax: > ``` > (simple-firewall-configuration > (allow-forwarding? #t) > (allowed-ports '(#:both 51234 > #:tcp 80 443 > #:udp 4444)) > ``` > But kept the more verbose tcp and udp fields because I don't want > people to have to use quasiquotes to splice in evaluated port-numbers > after the keywords. > > I like the suggestion that there should be a field for redirecting > packets, whether to loopback or another box, as it took me a while to > learn about eg. masquerading last time I needed to set something like > that up. Not sure what command would be equivalent to the NAT > suggestion? > > I guess nftables has superseded iptables, but I'm not as familiar with > it? Perhaps I can add it as a second back-end in the future. My > primary concern right now is a pure Scheme interface for networking > configuration; most notably via service inheritance! Simple-firewall > now lets you open ports via extensions in other services; in order for > this option to be widely available, perhaps it's the > {nf,ip}tables-services that should be extensible? It's a tricky > problem atm because we don't really want services that need ports > depending on a specific backend, there are existing API's, they use > plain-file's over structs or strings, and rule orders need to be > really specific/coordinated. Idk, maybe that isn't something we really > want in the first place, but it sure feels good from a configuration / > organizational point-of-view. Happy to tweak this again if anyone has > ideas. > --- > gnu/services/networking.scm | 79 ++++++++++++++++++++++++++++++++++++- > 1 file changed, 77 insertions(+), 2 deletions(-) > > diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm > index 19aba8c266..0866c10b34 100644 > --- a/gnu/services/networking.scm > +++ b/gnu/services/networking.scm > @@ -18,6 +18,8 @@ > ;;; Copyright © 2021 Christine Lemmer-Webber <cwebber@dustycloud.org> > ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be> > ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net> > +;;; Copyright © 2021 Solene Rapenne > +;;; Copyright © 2022 antlers <autumnalantlers@gmail.com> > ;;; > ;;; This file is part of GNU Guix. > ;;; > @@ -225,7 +227,11 @@ (define-module (gnu services networking) > > keepalived-configuration > keepalived-configuration? > - keepalived-service-type)) > + keepalived-service-type > + > + simple-firewall-service-type > + simple-firewall-configuration > + simple-firewall-configuration?)) > > ;;; Commentary: > ;;; > @@ -1721,7 +1727,13 @@ (define iptables-service-type > "Run @command{iptables-restore}, setting up the specified rules.") > (extensions > (list (service-extension shepherd-root-service-type > - (compose list iptables-shepherd-service)))))) > + (compose list iptables-shepherd-service)))) > + ;; Some services extend iptables, but such services are mutually > exclusive, > + ;; and should be either extended directly or superseded entirely > depending > + ;; the complexity of your desired configuration. > + (compose identity) > + (extend (lambda (config entries) > + (last entries))))) > > ;;; > ;;; nftables > @@ -2186,4 +2198,67 @@ (define keepalived-service-type > "Run @uref{https://www.keepalived.org/, Keepalived} > routing software."))) > > + > +;;; > +;;; Simple Firewall > +;;; > + > +(define-record-type* <simple-firewall-configuration> > + simple-firewall-configuration make-simple-firewall-configuration > + simple-firewall-configuration? > + (allow-icmp? simple-firewall-configuration-allow-icmp? > + (default #f)) > + (allow-forwarding? simple-firewall-configuration-allow-forwarding? > + (default #f)) > + > + (open-tcp-ports simple-firewall-configuration-open-tcp-ports > + (default '())) > + (open-udp-ports simple-firewall-configuration-open-udp-ports > + (default '()))) > + > +(define simple-firewall-configuration->iptables-rules > + (match-lambda > + (($ <simple-firewall-configuration> > + allow-icmp? allow-forwarding? > + open-tcp-ports open-udp-ports) > + (string-join > + `("*filter" > + ":INPUT DROP" > + ,(string-append ":FORWARD " (if allow-forwarding? "ACCEPT" > "DROP")) > + ":OUTPUT ACCEPT" > + "-A INPUT -i lo -j ACCEPT" > + "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" > + ,@(unless allow-icmp? '("-A INPUT -p icmp -j DROP" > + "-A INPUT -p icmpv6 -j DROP")) > + ,@(map (cut string-append "-A INPUT -p tcp --dport " <> " -j > ACCEPT") (map number->string open-tcp-ports)) > + ,@(map (cut string-append "-A INPUT -p udp --dport " <> " -j > ACCEPT") (map number->string open-udp-ports)) > + "-A INPUT -j REJECT --reject-with icmp-port-unreachable" > + "COMMIT") > + "\n" 'suffix)))) > + > +(define (simple-firewall-configuration->iptables-configuration config) > + (let ((rules (simple-firewall-configuration->iptables-rules config))) > + (iptables-configuration > + (ipv4-rules (plain-file "iptables.rules" rules)) > + (ipv6-rules (plain-file "ip6tables.rules" rules))))) > + > +(define simple-firewall-service-type > + (service-type > + (name 'simple-firewall) > + (description > + "Run @command{iptables-restore}, setting up the specified rules.") > + (extensions > + (list (service-extension iptables-service-type > + > simple-firewall-configuration->iptables-configuration))) > + (compose concatenate) > + (extend (lambda (config entries) > + (simple-firewall-configuration > + (inherit config) > + (open-tcp-ports > + (concatenate (map > simple-firewall-configuration-open-tcp-ports > + (cons config entries)))) > + (open-udp-ports > + (concatenate (map > simple-firewall-configuration-open-udp-ports > + (cons config entries))))))))) > + > ;;; networking.scm ends here > -- > 2.38.0 > > [-- Attachment #2: Type: text/html, Size: 8747 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-11-06 20:40 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-06-12 17:19 [bug#48975] New firewall service Solene Rapenne via Guix-patches via 2021-06-12 19:59 ` Jonathan Brielmaier 2021-06-12 22:13 ` Solene Rapenne via Guix-patches via 2021-06-13 9:29 ` Arun Isaac 2022-11-04 7:25 ` [bug#48975] [PATCH] gnu: simple-firewall-service: Add a simple service wrapping iptables antlers 2022-11-06 20:39 ` antlers
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.