diff options
author | Austin Seipp <aseipp@pobox.com> | 2014-02-19 05:19:19 -0600 |
---|---|---|
committer | Domen Kožar <domen@dev.si> | 2014-02-22 18:19:22 +0100 |
commit | fc9022bea1cf99085df4c1f023a69b08dcfcfa99 (patch) | |
tree | 628ba834b16d98768cf3e283a5686572263f1636 /nixos | |
parent | 0df7152c8f7c685f6b3701bcb2900689851ebe68 (diff) | |
download | nixlib-fc9022bea1cf99085df4c1f023a69b08dcfcfa99.tar nixlib-fc9022bea1cf99085df4c1f023a69b08dcfcfa99.tar.gz nixlib-fc9022bea1cf99085df4c1f023a69b08dcfcfa99.tar.bz2 nixlib-fc9022bea1cf99085df4c1f023a69b08dcfcfa99.tar.lz nixlib-fc9022bea1cf99085df4c1f023a69b08dcfcfa99.tar.xz nixlib-fc9022bea1cf99085df4c1f023a69b08dcfcfa99.tar.zst nixlib-fc9022bea1cf99085df4c1f023a69b08dcfcfa99.zip |
firewall: add support for TCP/UDP port ranges
This is useful for packages like mosh, which use a wide UDP port range by default for incoming connections. Signed-off-by: Austin Seipp <aseipp@pobox.com>
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/networking/firewall.nix | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 3c0c51e6ec8a..babde3e942b3 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -128,6 +128,17 @@ in ''; }; + networking.firewall.allowedTCPPortRanges = mkOption { + default = []; + example = [ { from = 8999; to = 9003; } ]; + type = types.listOf (types.attrsOf types.int); + description = + '' + A range of TCP ports on which incoming connections are + accepted. + ''; + }; + networking.firewall.allowedUDPPorts = mkOption { default = []; example = [ 53 ]; @@ -138,6 +149,16 @@ in ''; }; + networking.firewall.allowedUDPPortRanges = mkOption { + default = []; + example = [ { from = 60000; to = 61000; } ]; + type = types.listOf (types.attrsOf types.int); + description = + '' + Range of open UDP ports. + ''; + }; + networking.firewall.allowPing = mkOption { default = false; type = types.bool; @@ -322,6 +343,15 @@ in ) cfg.allowedTCPPorts } + # Accept connections to the allowed TCP port ranges. + ${concatMapStrings (rangeAttr: + let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in + '' + ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept + '' + ) cfg.allowedTCPPortRanges + } + # Accept packets on the allowed UDP ports. ${concatMapStrings (port: '' @@ -330,6 +360,15 @@ in ) cfg.allowedUDPPorts } + # Accept packets on the allowed UDP port ranges. + ${concatMapStrings (rangeAttr: + let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in + '' + ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept + '' + ) cfg.allowedUDPPortRanges + } + # Accept IPv4 multicast. Not a big security risk since # probably nobody is listening anyway. #iptables -A nixos-fw -d 224.0.0.0/4 -j nixos-fw-accept |