diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/networking/firewall.nix')
-rw-r--r-- | nixpkgs/nixos/modules/services/networking/firewall.nix | 42 |
1 files changed, 21 insertions, 21 deletions
diff --git a/nixpkgs/nixos/modules/services/networking/firewall.nix b/nixpkgs/nixos/modules/services/networking/firewall.nix index ac02a93836b8..a35cc51a3870 100644 --- a/nixpkgs/nixos/modules/services/networking/firewall.nix +++ b/nixpkgs/nixos/modules/services/networking/firewall.nix @@ -15,7 +15,7 @@ let default = [ ]; apply = canonicalizePortList; example = [ 22 80 ]; - description = lib.mdDoc '' + description = '' List of TCP ports on which incoming connections are accepted. ''; @@ -25,7 +25,7 @@ let type = types.listOf (types.attrsOf types.port); default = [ ]; example = [{ from = 8999; to = 9003; }]; - description = lib.mdDoc '' + description = '' A range of TCP ports on which incoming connections are accepted. ''; @@ -36,7 +36,7 @@ let default = [ ]; apply = canonicalizePortList; example = [ 53 ]; - description = lib.mdDoc '' + description = '' List of open UDP ports. ''; }; @@ -45,7 +45,7 @@ let type = types.listOf (types.attrsOf types.port); default = [ ]; example = [{ from = 60000; to = 61000; }]; - description = lib.mdDoc '' + description = '' Range of open UDP ports. ''; }; @@ -61,7 +61,7 @@ in enable = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Whether to enable the firewall. This is a simple stateful firewall that blocks connection attempts to unauthorised TCP or UDP ports on this machine. @@ -73,7 +73,7 @@ in default = if config.networking.nftables.enable then pkgs.nftables else pkgs.iptables; defaultText = literalExpression ''if config.networking.nftables.enable then "pkgs.nftables" else "pkgs.iptables"''; example = literalExpression "pkgs.iptables-legacy"; - description = lib.mdDoc '' + description = '' The package to use for running the firewall service. ''; }; @@ -81,7 +81,7 @@ in logRefusedConnections = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Whether to log rejected or dropped incoming connections. Note: The logs are found in the kernel logs, i.e. dmesg or journalctl -k. @@ -91,7 +91,7 @@ in logRefusedPackets = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Whether to log all rejected or dropped incoming packets. This tends to give a lot of log messages, so it's mostly useful for debugging. @@ -103,7 +103,7 @@ in logRefusedUnicastsOnly = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' If {option}`networking.firewall.logRefusedPackets` and this option are enabled, then only log packets specifically directed at this machine, i.e., not broadcasts @@ -114,7 +114,7 @@ in rejectPackets = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' If set, refused packets are rejected rather than dropped (ignored). This means that an ICMP "port unreachable" error message is sent back to the client (or a TCP RST packet in @@ -127,7 +127,7 @@ in type = types.listOf types.str; default = [ ]; example = [ "enp0s2" ]; - description = lib.mdDoc '' + description = '' Traffic coming in from these interfaces will be accepted unconditionally. Traffic from the loopback (lo) interface will always be accepted. @@ -137,7 +137,7 @@ in allowPing = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Whether to respond to incoming ICMPv4 echo requests ("pings"). ICMPv6 pings are always allowed because the larger address space of IPv6 makes network scanning much @@ -149,7 +149,7 @@ in type = types.nullOr (types.separatedString " "); default = null; example = "--limit 1/minute --limit-burst 5"; - description = lib.mdDoc '' + description = '' If pings are allowed, this allows setting rate limits on them. For the iptables based firewall, it should be set like @@ -165,7 +165,7 @@ in default = true; defaultText = literalMD "`true` except if the iptables based firewall is in use and the kernel lacks rpfilter support"; example = "loose"; - description = lib.mdDoc '' + description = '' Performs a reverse path filter test on a packet. If a reply to the packet would not be sent via the same interface that the packet arrived on, it is refused. @@ -183,7 +183,7 @@ in logReversePathDrops = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Logs dropped packets failing the reverse path filter test if the option networking.firewall.checkReversePath is enabled. ''; @@ -192,7 +192,7 @@ in filterForward = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Enable filtering in IP forwarding. This option only works with the nftables based firewall. @@ -203,7 +203,7 @@ in type = types.listOf types.str; default = [ ]; example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]; - description = lib.mdDoc '' + description = '' List of connection-tracking helpers that are auto-loaded. The complete list of possible values is given in the example. @@ -222,7 +222,7 @@ in autoLoadConntrackHelpers = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Whether to auto-load connection-tracking helpers. See the description at networking.firewall.connectionTrackingModules @@ -234,7 +234,7 @@ in type = types.listOf types.package; default = [ ]; example = literalExpression "[ pkgs.ipset ]"; - description = lib.mdDoc '' + description = '' Additional packages to be included in the environment of the system as well as the path of networking.firewall.extraCommands. ''; @@ -243,7 +243,7 @@ in interfaces = mkOption { default = { }; type = with types; attrsOf (submodule [{ options = commonOptions; }]); - description = lib.mdDoc '' + description = '' Interface-specific open ports. ''; }; @@ -253,7 +253,7 @@ in visible = false; default = { default = mapAttrs (name: value: cfg.${name}) commonOptions; } // cfg.interfaces; type = with types; attrsOf (submodule [{ options = commonOptions; }]); - description = lib.mdDoc '' + description = '' All open ports. ''; }; |