Package: guix-patches;
Reported by: Solene Rapenne <solene <at> perso.pw>
Date: Sat, 12 Jun 2021 17:21:02 UTC
Severity: normal
To reply to this bug, email your comments to 48975 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
guix-patches <at> gnu.org:bug#48975; Package guix-patches.
(Sat, 12 Jun 2021 17:21:02 GMT) Full text and rfc822 format available.Solene Rapenne <solene <at> perso.pw>:guix-patches <at> gnu.org.
(Sat, 12 Jun 2021 17:21:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Solene Rapenne <solene <at> perso.pw> To: guix-patches <at> gnu.org Subject: New firewall service Date: Sat, 12 Jun 2021 19:19:59 +0200
Hello,
I wrote a new firewall service, I already wrote an email to guix-devel
about it and I've been suggested to submit it here.
The idea is to propose an easy way to manage your firewall. On a
personal computer or a server with no fancy network, you certainly want
to block access from the outside to all the ports except a few ones.
The configuration looks like this, currently it only supports TCP and
UDP ports. Maybe NAT could be added later or other feature, I'm opened
to suggestions.
(service firewall-service-type
(firewall-configuration
(udp '(53))
(tcp '(22 70 1965))))
Here is the code, I took bits from iptables as a base and then used the
Tor service way to generate the configuration file.
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 87b3d754a3..d311f95448 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -221,7 +221,11 @@
keepalived-configuration
keepalived-configuration?
- keepalived-service-type))
+ keepalived-service-type
+
+ firewall-service-type
+ firewall-configuration
+ firewall-configuration?))
;;; Commentary:
;;;
@@ -2190,4 +2194,76 @@ of the IPFS peer-to-peer storage network.")))
"Run @uref{https://www.keepalived.org/, Keepalived}
routing software.")))
+
+;;;
+;;; Firewall
+;;;
+
+(define-record-type* <firewall-configuration>
+ firewall-configuration make-firewall-configuration
+ firewall-configuration?
+ (tcp firewall-configuration-tcp
+ (default '()))
+ (udp firewall-configuration-udp
+ (default '())))
+
+(define (firewall-configuration->file tcp udp)
+ "Return the iptables rules from the ports list"
+ (computed-file
+ "firewall-generated-rules"
+ (with-imported-modules '((guix build utils))
+ #~(begin
+ (use-modules (guix build utils)
+ (ice-9 match))
+ (call-with-output-file #$output
+ (lambda (out)
+ (display "\
+*filter
+:INPUT DROP
+:FORWARD DROP
+:OUTPUT ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n" out)
+
+ ;; tcp rules
+ (when (not (null? (list #$@tcp)))
+ (format out "\
+~{-A INPUT -p tcp --dport ~a -j ACCEPT~%~}"
+ (list #$@tcp)))
+
+ ;; udp rules
+ (when (not (null? (list #$@udp)))
+ (format out "\
+~{-A INPUT -p udp --dport ~a -j ACCEPT~%~}"
+ (list #$@udp)))
+
+ (display "COMMIT\n" out)
+ #t))))))
+
+(define firewall-shepherd-service
+ (match-lambda
+ (($ <firewall-configuration> tcp udp)
+ (let* ((iptables-restore (file-append iptables "/sbin/iptables-restore"))
+ (ip6tables-restore (file-append iptables "/sbin/ip6tables-restore"))
+ (ruleset (firewall-configuration->file tcp udp)))
+ (shepherd-service
+ (documentation "Easy firewall management")
+ (provision '(firewall))
+ (start #~(lambda _
+ (invoke #$iptables-restore #$ruleset)
+ (invoke #$ip6tables-restore #$ruleset)))
+ (stop #~(lambda _
+ (invoke #$iptables-restore #$ruleset)
+ (invoke #$ip6tables-restore #$ruleset))))))))
+
+(define firewall-service-type
+ (service-type
+ (name 'firewall)
+ (description
+ "Run @command{iptables-restore}, setting up the specified rules.")
+ (extensions
+ (list (service-extension shepherd-root-service-type
+ (compose list firewall-shepherd-service))))))
+
+
;;; networking.scm ends here
guix-patches <at> gnu.org:bug#48975; Package guix-patches.
(Sat, 12 Jun 2021 20:01:01 GMT) Full text and rfc822 format available.Message #8 received at 48975 <at> debbugs.gnu.org (full text, mbox):
From: Jonathan Brielmaier <jonathan.brielmaier <at> web.de> To: Solene Rapenne <solene <at> perso.pw>, 48975 <at> debbugs.gnu.org Subject: Re: [bug#48975] New firewall service Date: Sat, 12 Jun 2021 21:59:53 +0200
On 12.06.21 19:19, Solene Rapenne via Guix-patches via wrote:
> Hello,
>
> I wrote a new firewall service, I already wrote an email to guix-devel
> about it and I've been suggested to submit it here.
>
> The idea is to propose an easy way to manage your firewall. On a
> personal computer or a server with no fancy network, you certainly want
> to block access from the outside to all the ports except a few ones.
Hi Solene,
that is a really good idea. So I could get rid of my growing lines of
plain iptables in my Guix config :)
> The configuration looks like this, currently it only supports TCP and
> UDP ports. Maybe NAT could be added later or other feature, I'm opened
> to suggestions.
>
> (service firewall-service-type
> (firewall-configuration
> (udp '(53))
> (tcp '(22 70 1965))))
I think we could improve the syntax as to be honest I'm unsure if the
listed ports are the open or the closed ones.
Maybe we could call this service simple-firewall-service-type or
something along this.
>
> Here is the code, I took bits from iptables as a base and then used the
> Tor service way to generate the configuration file.
>
> diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
> index 87b3d754a3..d311f95448 100644
> --- a/gnu/services/networking.scm
> +++ b/gnu/services/networking.scm
You should add a copyright line for yourself at the top of the file.
> @@ -221,7 +221,11 @@
>
> keepalived-configuration
> keepalived-configuration?
> - keepalived-service-type))
> + keepalived-service-type
> +
> + firewall-service-type
> + firewall-configuration
> + firewall-configuration?))
>
> ;;; Commentary:
> ;;;
> @@ -2190,4 +2194,76 @@ of the IPFS peer-to-peer storage network.")))
> "Run @uref{https://www.keepalived.org/, Keepalived}
> routing software.")))
>
> +
> +;;;
> +;;; Firewall
> +;;;
> +
> +(define-record-type* <firewall-configuration>
> + firewall-configuration make-firewall-configuration
> + firewall-configuration?
> + (tcp firewall-configuration-tcp
> + (default '()))
> + (udp firewall-configuration-udp
> + (default '())))
> +
> +(define (firewall-configuration->file tcp udp)
> + "Return the iptables rules from the ports list"
> + (computed-file
> + "firewall-generated-rules"
> + (with-imported-modules '((guix build utils))
> + #~(begin
> + (use-modules (guix build utils)
> + (ice-9 match))
> + (call-with-output-file #$output
> + (lambda (out)
> + (display "\
> +*filter
> +:INPUT DROP
> +:FORWARD DROP
> +:OUTPUT ACCEPT
> +-A INPUT -i lo -j ACCEPT
> +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n" out)
> +
> + ;; tcp rules
> + (when (not (null? (list #$@tcp)))
> + (format out "\
> +~{-A INPUT -p tcp --dport ~a -j ACCEPT~%~}"
> + (list #$@tcp)))
> +
> + ;; udp rules
> + (when (not (null? (list #$@udp)))
> + (format out "\
> +~{-A INPUT -p udp --dport ~a -j ACCEPT~%~}"
> + (list #$@udp)))
> +
> + (display "COMMIT\n" out)
> + #t))))))
I'm not an iptables expert but does this config block/open IPv4 as well
as IPv6?
> +(define firewall-shepherd-service
> + (match-lambda
> + (($ <firewall-configuration> tcp udp)
> + (let* ((iptables-restore (file-append iptables "/sbin/iptables-restore"))
> + (ip6tables-restore (file-append iptables "/sbin/ip6tables-restore"))
> + (ruleset (firewall-configuration->file tcp udp)))
> + (shepherd-service
> + (documentation "Easy firewall management")
> + (provision '(firewall))
> + (start #~(lambda _
> + (invoke #$iptables-restore #$ruleset)
> + (invoke #$ip6tables-restore #$ruleset)))
> + (stop #~(lambda _
> + (invoke #$iptables-restore #$ruleset)
> + (invoke #$ip6tables-restore #$ruleset))))))))
> +
> +(define firewall-service-type
> + (service-type
> + (name 'firewall)
> + (description
> + "Run @command{iptables-restore}, setting up the specified rules.")
> + (extensions
> + (list (service-extension shepherd-root-service-type
> + (compose list firewall-shepherd-service))))))
> +
> +
> ;;; networking.scm ends here
>
>
>
guix-patches <at> gnu.org:bug#48975; Package guix-patches.
(Sat, 12 Jun 2021 22:15:01 GMT) Full text and rfc822 format available.Message #11 received at 48975 <at> debbugs.gnu.org (full text, mbox):
From: Solene Rapenne <solene <at> perso.pw> To: Jonathan Brielmaier <jonathan.brielmaier <at> web.de> Cc: 48975 <at> debbugs.gnu.org Subject: Re: [bug#48975] New firewall service Date: Sun, 13 Jun 2021 00:13:58 +0200
On Sat, 12 Jun 2021 21:59:53 +0200
Jonathan Brielmaier <jonathan.brielmaier <at> web.de>:
> On 12.06.21 19:19, Solene Rapenne via Guix-patches via wrote:
> > Hello,
> >
> > I wrote a new firewall service, I already wrote an email to guix-devel
> > about it and I've been suggested to submit it here.
> >
> > The idea is to propose an easy way to manage your firewall. On a
> > personal computer or a server with no fancy network, you certainly want
> > to block access from the outside to all the ports except a few ones.
>
> Hi Solene,
>
> that is a really good idea. So I could get rid of my growing lines of
> plain iptables in my Guix config :)
>
> > The configuration looks like this, currently it only supports TCP and
> > UDP ports. Maybe NAT could be added later or other feature, I'm opened
> > to suggestions.
> >
> > (service firewall-service-type
> > (firewall-configuration
> > (udp '(53))
> > (tcp '(22 70 1965))))
>
> I think we could improve the syntax as to be honest I'm unsure if the
> listed ports are the open or the closed ones.
>
> Maybe we could call this service simple-firewall-service-type or
> something along this.
hello, thanks a lot for your feedback.
I have no argument for a rename, as long as it's understandable.
As it's simple, I like simple-firewall.
Do you think this would be easier to understand by adding "open"
to the names?
(service simple-firewall-service-type
(simple-firewall-configuration
(open-udp '(53))
(open-tcp '(22 ...))))
I think we must decided if ICMP is allowed by default or not and
the syntax to enable/disable it. Maybe this? I would disable it by
default.
(allow-icmp? #t)
If you stop simple-firewall with the current code, it will block
every inbound ports, I'm not sure if it's the correct way to proceed, I suppose
it should flush absolutely everything.
To match most simple use case, a simple NAT and port redirection
could be done too.
;; do NAT on eth0 and set the according sysctl
(nat-on "eth0")
;; redirect incoming connections on ports 22 and 8080 to another box
(redirect '((22 "192.168.1.50:22")
(8080 "192.168.1.50:80"))
> >
> > Here is the code, I took bits from iptables as a base and then used the
> > Tor service way to generate the configuration file.
> >
> > diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
> > index 87b3d754a3..d311f95448 100644
> > --- a/gnu/services/networking.scm
> > +++ b/gnu/services/networking.scm
>
> You should add a copyright line for yourself at the top of the file.
>
I've been told it's not mandatory. I have no issue adding it though.
I found a ^L character at many paces in networking.scm, I don't
know if its appearance is legit or not. I think it's a garbage
character that got copy/pasted over and over. I copied it just in
case.
> >
> > +
> > +;;;
> > +;;; Firewall
> > +;;;
> > +
guix-patches <at> gnu.org:bug#48975; Package guix-patches.
(Sun, 13 Jun 2021 09:30:03 GMT) Full text and rfc822 format available.Message #14 received at 48975 <at> debbugs.gnu.org (full text, mbox):
From: Arun Isaac <arunisaac <at> systemreboot.net> To: Solene Rapenne <solene <at> perso.pw>, 48975 <at> debbugs.gnu.org Cc: Jonathan Brielmaier <jonathan.brielmaier <at> web.de> Subject: Re: [bug#48975] New firewall service Date: Sun, 13 Jun 2021 14:59:31 +0530
[Message part 1 (text/plain, inline)]
Hi Solene, Thanks for the great work! I wrote the iptables service in the hope of some day extending it to something like this, but you've beaten me to it! :-) Some feedback follows. Your implementation duplicates some of the code in the iptables service. How about making it simply /extend/ the iptables service with the generated rules? This way, you won't have to handle the start/stop iptables-restore gexps. The iptables service, when stopped, already has the correct behaviour of opening all ports. WDYT? Regards, Arun
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#48975; Package guix-patches.
(Fri, 04 Nov 2022 07:27:02 GMT) Full text and rfc822 format available.Message #17 received at 48975 <at> debbugs.gnu.org (full text, mbox):
From: antlers <autumnalantlers <at> gmail.com> To: 48975 <at> debbugs.gnu.org Cc: antlers <antlers <at> luris.net> Subject: [PATCH] gnu: simple-firewall-service: Add a simple service wrapping iptables Date: Fri, 4 Nov 2022 00:25:50 -0700
From: antlers <antlers <at> luris.net>
* gnu/services/networking.scm (simple-firewall-service): Add.
(iptables-service): Allow a crude sort of service extension.
I tried out a keyword-based syntax:
```
(simple-firewall-configuration
(allow-forwarding? #t)
(allowed-ports '(#:both 51234
#:tcp 80 443
#:udp 4444))
```
But kept the more verbose tcp and udp fields because I don't want
people to have to use quasiquotes to splice in evaluated port-numbers
after the keywords.
I like the suggestion that there should be a field for redirecting
packets, whether to loopback or another box, as it took me a while to
learn about eg. masquerading last time I needed to set something like
that up. Not sure what command would be equivalent to the NAT
suggestion?
I guess nftables has superseded iptables, but I'm not as familiar with
it? Perhaps I can add it as a second back-end in the future. My
primary concern right now is a pure Scheme interface for networking
configuration; most notably via service inheritance! Simple-firewall
now lets you open ports via extensions in other services; in order for
this option to be widely available, perhaps it's the
{nf,ip}tables-services that should be extensible? It's a tricky
problem atm because we don't really want services that need ports
depending on a specific backend, there are existing API's, they use
plain-file's over structs or strings, and rule orders need to be
really specific/coordinated. Idk, maybe that isn't something we really
want in the first place, but it sure feels good from a configuration /
organizational point-of-view. Happy to tweak this again if anyone has
ideas.
---
gnu/services/networking.scm | 79 ++++++++++++++++++++++++++++++++++++-
1 file changed, 77 insertions(+), 2 deletions(-)
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 19aba8c266..0866c10b34 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -18,6 +18,8 @@
;;; Copyright © 2021 Christine Lemmer-Webber <cwebber <at> dustycloud.org>
;;; Copyright © 2021 Maxime Devos <maximedevos <at> telenet.be>
;;; Copyright © 2021 Guillaume Le Vaillant <glv <at> posteo.net>
+;;; Copyright © 2021 Solene Rapenne
+;;; Copyright © 2022 antlers <autumnalantlers <at> gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -225,7 +227,11 @@ (define-module (gnu services networking)
keepalived-configuration
keepalived-configuration?
- keepalived-service-type))
+ keepalived-service-type
+
+ simple-firewall-service-type
+ simple-firewall-configuration
+ simple-firewall-configuration?))
;;; Commentary:
;;;
@@ -1721,7 +1727,13 @@ (define iptables-service-type
"Run @command{iptables-restore}, setting up the specified rules.")
(extensions
(list (service-extension shepherd-root-service-type
- (compose list iptables-shepherd-service))))))
+ (compose list iptables-shepherd-service))))
+ ;; Some services extend iptables, but such services are mutually exclusive,
+ ;; and should be either extended directly or superseded entirely depending
+ ;; the complexity of your desired configuration.
+ (compose identity)
+ (extend (lambda (config entries)
+ (last entries)))))
;;;
;;; nftables
@@ -2186,4 +2198,67 @@ (define keepalived-service-type
"Run @uref{https://www.keepalived.org/, Keepalived}
routing software.")))
+
+;;;
+;;; Simple Firewall
+;;;
+
+(define-record-type* <simple-firewall-configuration>
+ simple-firewall-configuration make-simple-firewall-configuration
+ simple-firewall-configuration?
+ (allow-icmp? simple-firewall-configuration-allow-icmp?
+ (default #f))
+ (allow-forwarding? simple-firewall-configuration-allow-forwarding?
+ (default #f))
+
+ (open-tcp-ports simple-firewall-configuration-open-tcp-ports
+ (default '()))
+ (open-udp-ports simple-firewall-configuration-open-udp-ports
+ (default '())))
+
+(define simple-firewall-configuration->iptables-rules
+ (match-lambda
+ (($ <simple-firewall-configuration>
+ allow-icmp? allow-forwarding?
+ open-tcp-ports open-udp-ports)
+ (string-join
+ `("*filter"
+ ":INPUT DROP"
+ ,(string-append ":FORWARD " (if allow-forwarding? "ACCEPT" "DROP"))
+ ":OUTPUT ACCEPT"
+ "-A INPUT -i lo -j ACCEPT"
+ "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+ ,@(unless allow-icmp? '("-A INPUT -p icmp -j DROP"
+ "-A INPUT -p icmpv6 -j DROP"))
+ ,@(map (cut string-append "-A INPUT -p tcp --dport " <> " -j ACCEPT") (map number->string open-tcp-ports))
+ ,@(map (cut string-append "-A INPUT -p udp --dport " <> " -j ACCEPT") (map number->string open-udp-ports))
+ "-A INPUT -j REJECT --reject-with icmp-port-unreachable"
+ "COMMIT")
+ "\n" 'suffix))))
+
+(define (simple-firewall-configuration->iptables-configuration config)
+ (let ((rules (simple-firewall-configuration->iptables-rules config)))
+ (iptables-configuration
+ (ipv4-rules (plain-file "iptables.rules" rules))
+ (ipv6-rules (plain-file "ip6tables.rules" rules)))))
+
+(define simple-firewall-service-type
+ (service-type
+ (name 'simple-firewall)
+ (description
+ "Run @command{iptables-restore}, setting up the specified rules.")
+ (extensions
+ (list (service-extension iptables-service-type
+ simple-firewall-configuration->iptables-configuration)))
+ (compose concatenate)
+ (extend (lambda (config entries)
+ (simple-firewall-configuration
+ (inherit config)
+ (open-tcp-ports
+ (concatenate (map simple-firewall-configuration-open-tcp-ports
+ (cons config entries))))
+ (open-udp-ports
+ (concatenate (map simple-firewall-configuration-open-udp-ports
+ (cons config entries)))))))))
+
;;; networking.scm ends here
--
2.38.0
guix-patches <at> gnu.org:bug#48975; Package guix-patches.
(Sun, 06 Nov 2022 20:40:02 GMT) Full text and rfc822 format available.Message #20 received at 48975 <at> debbugs.gnu.org (full text, mbox):
From: antlers <autumnalantlers <at> gmail.com> To: 48975 <at> debbugs.gnu.org Subject: Re: [PATCH] gnu: simple-firewall-service: Add a simple service wrapping iptables Date: Sun, 6 Nov 2022 12:39:26 -0800
[Message part 1 (text/plain, inline)]
After googling around a bit it looks like the `filter*` and `COMMIT`
commands in iptables configurations do in fact form a transactional block
that would allow us to accept additional plain-files via extensions and
just concatenate them, it's that's a road we want to go down
On Fri, Nov 4, 2022 at 12:26 AM antlers <autumnalantlers <at> gmail.com> wrote:
> From: antlers <antlers <at> luris.net>
>
> * gnu/services/networking.scm (simple-firewall-service): Add.
> (iptables-service): Allow a crude sort of service extension.
>
> I tried out a keyword-based syntax:
> ```
> (simple-firewall-configuration
> (allow-forwarding? #t)
> (allowed-ports '(#:both 51234
> #:tcp 80 443
> #:udp 4444))
> ```
> But kept the more verbose tcp and udp fields because I don't want
> people to have to use quasiquotes to splice in evaluated port-numbers
> after the keywords.
>
> I like the suggestion that there should be a field for redirecting
> packets, whether to loopback or another box, as it took me a while to
> learn about eg. masquerading last time I needed to set something like
> that up. Not sure what command would be equivalent to the NAT
> suggestion?
>
> I guess nftables has superseded iptables, but I'm not as familiar with
> it? Perhaps I can add it as a second back-end in the future. My
> primary concern right now is a pure Scheme interface for networking
> configuration; most notably via service inheritance! Simple-firewall
> now lets you open ports via extensions in other services; in order for
> this option to be widely available, perhaps it's the
> {nf,ip}tables-services that should be extensible? It's a tricky
> problem atm because we don't really want services that need ports
> depending on a specific backend, there are existing API's, they use
> plain-file's over structs or strings, and rule orders need to be
> really specific/coordinated. Idk, maybe that isn't something we really
> want in the first place, but it sure feels good from a configuration /
> organizational point-of-view. Happy to tweak this again if anyone has
> ideas.
> ---
> gnu/services/networking.scm | 79 ++++++++++++++++++++++++++++++++++++-
> 1 file changed, 77 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
> index 19aba8c266..0866c10b34 100644
> --- a/gnu/services/networking.scm
> +++ b/gnu/services/networking.scm
> @@ -18,6 +18,8 @@
> ;;; Copyright © 2021 Christine Lemmer-Webber <cwebber <at> dustycloud.org>
> ;;; Copyright © 2021 Maxime Devos <maximedevos <at> telenet.be>
> ;;; Copyright © 2021 Guillaume Le Vaillant <glv <at> posteo.net>
> +;;; Copyright © 2021 Solene Rapenne
> +;;; Copyright © 2022 antlers <autumnalantlers <at> gmail.com>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -225,7 +227,11 @@ (define-module (gnu services networking)
>
> keepalived-configuration
> keepalived-configuration?
> - keepalived-service-type))
> + keepalived-service-type
> +
> + simple-firewall-service-type
> + simple-firewall-configuration
> + simple-firewall-configuration?))
>
> ;;; Commentary:
> ;;;
> @@ -1721,7 +1727,13 @@ (define iptables-service-type
> "Run @command{iptables-restore}, setting up the specified rules.")
> (extensions
> (list (service-extension shepherd-root-service-type
> - (compose list iptables-shepherd-service))))))
> + (compose list iptables-shepherd-service))))
> + ;; Some services extend iptables, but such services are mutually
> exclusive,
> + ;; and should be either extended directly or superseded entirely
> depending
> + ;; the complexity of your desired configuration.
> + (compose identity)
> + (extend (lambda (config entries)
> + (last entries)))))
>
> ;;;
> ;;; nftables
> @@ -2186,4 +2198,67 @@ (define keepalived-service-type
> "Run @uref{https://www.keepalived.org/, Keepalived}
> routing software.")))
>
> +
> +;;;
> +;;; Simple Firewall
> +;;;
> +
> +(define-record-type* <simple-firewall-configuration>
> + simple-firewall-configuration make-simple-firewall-configuration
> + simple-firewall-configuration?
> + (allow-icmp? simple-firewall-configuration-allow-icmp?
> + (default #f))
> + (allow-forwarding? simple-firewall-configuration-allow-forwarding?
> + (default #f))
> +
> + (open-tcp-ports simple-firewall-configuration-open-tcp-ports
> + (default '()))
> + (open-udp-ports simple-firewall-configuration-open-udp-ports
> + (default '())))
> +
> +(define simple-firewall-configuration->iptables-rules
> + (match-lambda
> + (($ <simple-firewall-configuration>
> + allow-icmp? allow-forwarding?
> + open-tcp-ports open-udp-ports)
> + (string-join
> + `("*filter"
> + ":INPUT DROP"
> + ,(string-append ":FORWARD " (if allow-forwarding? "ACCEPT"
> "DROP"))
> + ":OUTPUT ACCEPT"
> + "-A INPUT -i lo -j ACCEPT"
> + "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
> + ,@(unless allow-icmp? '("-A INPUT -p icmp -j DROP"
> + "-A INPUT -p icmpv6 -j DROP"))
> + ,@(map (cut string-append "-A INPUT -p tcp --dport " <> " -j
> ACCEPT") (map number->string open-tcp-ports))
> + ,@(map (cut string-append "-A INPUT -p udp --dport " <> " -j
> ACCEPT") (map number->string open-udp-ports))
> + "-A INPUT -j REJECT --reject-with icmp-port-unreachable"
> + "COMMIT")
> + "\n" 'suffix))))
> +
> +(define (simple-firewall-configuration->iptables-configuration config)
> + (let ((rules (simple-firewall-configuration->iptables-rules config)))
> + (iptables-configuration
> + (ipv4-rules (plain-file "iptables.rules" rules))
> + (ipv6-rules (plain-file "ip6tables.rules" rules)))))
> +
> +(define simple-firewall-service-type
> + (service-type
> + (name 'simple-firewall)
> + (description
> + "Run @command{iptables-restore}, setting up the specified rules.")
> + (extensions
> + (list (service-extension iptables-service-type
> +
> simple-firewall-configuration->iptables-configuration)))
> + (compose concatenate)
> + (extend (lambda (config entries)
> + (simple-firewall-configuration
> + (inherit config)
> + (open-tcp-ports
> + (concatenate (map
> simple-firewall-configuration-open-tcp-ports
> + (cons config entries))))
> + (open-udp-ports
> + (concatenate (map
> simple-firewall-configuration-open-udp-ports
> + (cons config entries)))))))))
> +
> ;;; networking.scm ends here
> --
> 2.38.0
>
>
[Message part 2 (text/html, inline)]
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.