diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2017-01-22 17:29:38 +0100 |
---|---|---|
committer | Franz Pletz <fpletz@fnordicwalking.de> | 2017-01-25 01:14:04 +0100 |
commit | 8322a12ef2ce6ea5a239b2221aa6f9a2fe84d904 (patch) | |
tree | f1057f2cff72dbccb3f3c7f72067c3fa76916dcd /nixos/modules | |
parent | 403fdd737eb353734591ee59711f8c5d26ca4f90 (diff) | |
download | nixlib-8322a12ef2ce6ea5a239b2221aa6f9a2fe84d904.tar nixlib-8322a12ef2ce6ea5a239b2221aa6f9a2fe84d904.tar.gz nixlib-8322a12ef2ce6ea5a239b2221aa6f9a2fe84d904.tar.bz2 nixlib-8322a12ef2ce6ea5a239b2221aa6f9a2fe84d904.tar.lz nixlib-8322a12ef2ce6ea5a239b2221aa6f9a2fe84d904.tar.xz nixlib-8322a12ef2ce6ea5a239b2221aa6f9a2fe84d904.tar.zst nixlib-8322a12ef2ce6ea5a239b2221aa6f9a2fe84d904.zip |
firewall: disable conntrack helper autoloading by default
This was disabled in the Linux kernel since 4.7 and poses a security risk if not configured properly. https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=486dcf43da7815baa615822f3e46883ccca5400f
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/networking/firewall.nix | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 0b0ee57cf7ad..34b731ad35c9 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -425,7 +425,7 @@ in networking.firewall.connectionTrackingModules = mkOption { type = types.listOf types.str; - default = [ "ftp" ]; + default = [ ]; example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]; description = '' @@ -434,9 +434,11 @@ in As helpers can pose as a security risk, it is advised to set this to an empty list and disable the setting - networking.firewall.autoLoadConntrackHelpers + networking.firewall.autoLoadConntrackHelpers unless you + know what you are doing. Connection tracking is disabled + by default. - Loading of helpers is recommended to be done through the new + Loading of helpers is recommended to be done through the CT target. More info: https://home.regit.org/netfilter-en/secure-use-of-helpers/ ''; @@ -444,7 +446,7 @@ in networking.firewall.autoLoadConntrackHelpers = mkOption { type = types.bool; - default = true; + default = false; description = '' Whether to auto-load connection-tracking helpers. @@ -504,9 +506,10 @@ in environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages; - boot.kernelModules = map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; - boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) '' - options nf_conntrack nf_conntrack_helper=0 + boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack") + ++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; + boot.extraModprobeConfig = optionalString cfg.autoLoadConntrackHelpers '' + options nf_conntrack nf_conntrack_helper=1 ''; assertions = [ { assertion = (cfg.checkReversePath != false) || kernelHasRPFilter; |