New firewall service

  • Open
  • quality assurance status badge
Details
4 participants
  • Arun Isaac
  • antlers
  • Jonathan Brielmaier
  • Solene Rapenne
Owner
unassigned
Submitted by
Solene Rapenne
Severity
normal
S
S
Solene Rapenne wrote on 12 Jun 2021 19:19
(address . guix-patches@gnu.org)
20210612191959.6394494e@perso.pw
Hello,

I wrote a new firewall service, I already wrote an email to guix-devel
about it and I've been suggested to submit it here.

The idea is to propose an easy way to manage your firewall. On a
personal computer or a server with no fancy network, you certainly want
to block access from the outside to all the ports except a few ones.

The configuration looks like this, currently it only supports TCP and
UDP ports. Maybe NAT could be added later or other feature, I'm opened
to suggestions.

(service firewall-service-type
(firewall-configuration
(udp '(53))
(tcp '(22 70 1965))))


Here is the code, I took bits from iptables as a base and then used the
Tor service way to generate the configuration file.

Toggle diff (94 lines)
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 87b3d754a3..d311f95448 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -221,7 +221,11 @@
keepalived-configuration
keepalived-configuration?
- keepalived-service-type))
+ keepalived-service-type
+
+ firewall-service-type
+ firewall-configuration
+ firewall-configuration?))
;;; Commentary:
;;;
@@ -2190,4 +2194,76 @@ of the IPFS peer-to-peer storage network.")))
"Run @uref{https://www.keepalived.org/, Keepalived}
routing software.")))
+
+;;;
+;;; Firewall
+;;;
+
+(define-record-type* <firewall-configuration>
+ firewall-configuration make-firewall-configuration
+ firewall-configuration?
+ (tcp firewall-configuration-tcp
+ (default '()))
+ (udp firewall-configuration-udp
+ (default '())))
+
+(define (firewall-configuration->file tcp udp)
+ "Return the iptables rules from the ports list"
+ (computed-file
+ "firewall-generated-rules"
+ (with-imported-modules '((guix build utils))
+ #~(begin
+ (use-modules (guix build utils)
+ (ice-9 match))
+ (call-with-output-file #$output
+ (lambda (out)
+ (display "\
+*filter
+:INPUT DROP
+:FORWARD DROP
+:OUTPUT ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n" out)
+
+ ;; tcp rules
+ (when (not (null? (list #$@tcp)))
+ (format out "\
+~{-A INPUT -p tcp --dport ~a -j ACCEPT~%~}"
+ (list #$@tcp)))
+
+ ;; udp rules
+ (when (not (null? (list #$@udp)))
+ (format out "\
+~{-A INPUT -p udp --dport ~a -j ACCEPT~%~}"
+ (list #$@udp)))
+
+ (display "COMMIT\n" out)
+ #t))))))
+
+(define firewall-shepherd-service
+ (match-lambda
+ (($ <firewall-configuration> tcp udp)
+ (let* ((iptables-restore (file-append iptables "/sbin/iptables-restore"))
+ (ip6tables-restore (file-append iptables "/sbin/ip6tables-restore"))
+ (ruleset (firewall-configuration->file tcp udp)))
+ (shepherd-service
+ (documentation "Easy firewall management")
+ (provision '(firewall))
+ (start #~(lambda _
+ (invoke #$iptables-restore #$ruleset)
+ (invoke #$ip6tables-restore #$ruleset)))
+ (stop #~(lambda _
+ (invoke #$iptables-restore #$ruleset)
+ (invoke #$ip6tables-restore #$ruleset))))))))
+
+(define firewall-service-type
+ (service-type
+ (name 'firewall)
+ (description
+ "Run @command{iptables-restore}, setting up the specified rules.")
+ (extensions
+ (list (service-extension shepherd-root-service-type
+ (compose list firewall-shepherd-service))))))
+
+
;;; networking.scm ends here
J
J
Jonathan Brielmaier wrote on 12 Jun 2021 21:59
73ab1edf-5917-a01f-66b9-816c43899020@web.de
On 12.06.21 19:19, Solene Rapenne via Guix-patches via wrote:
Toggle quote (9 lines)
> Hello,
>
> I wrote a new firewall service, I already wrote an email to guix-devel
> about it and I've been suggested to submit it here.
>
> The idea is to propose an easy way to manage your firewall. On a
> personal computer or a server with no fancy network, you certainly want
> to block access from the outside to all the ports except a few ones.

Hi Solene,

that is a really good idea. So I could get rid of my growing lines of
plain iptables in my Guix config :)

Toggle quote (9 lines)
> The configuration looks like this, currently it only supports TCP and
> UDP ports. Maybe NAT could be added later or other feature, I'm opened
> to suggestions.
>
> (service firewall-service-type
> (firewall-configuration
> (udp '(53))
> (tcp '(22 70 1965))))

I think we could improve the syntax as to be honest I'm unsure if the
listed ports are the open or the closed ones.

Maybe we could call this service simple-firewall-service-type or
something along this.

Toggle quote (9 lines)
>
> Here is the code, I took bits from iptables as a base and then used the
> Tor service way to generate the configuration file.
>
> diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
> index 87b3d754a3..d311f95448 100644
> --- a/gnu/services/networking.scm
> +++ b/gnu/services/networking.scm

You should add a copyright line for yourself at the top of the file.

Toggle quote (63 lines)
> @@ -221,7 +221,11 @@
>
> keepalived-configuration
> keepalived-configuration?
> - keepalived-service-type))
> + keepalived-service-type
> +
> + firewall-service-type
> + firewall-configuration
> + firewall-configuration?))
>
> ;;; Commentary:
> ;;;
> @@ -2190,4 +2194,76 @@ of the IPFS peer-to-peer storage network.")))
> "Run @uref{https://www.keepalived.org/, Keepalived}
> routing software.")))
>
> +
> +;;;
> +;;; Firewall
> +;;;
> +
> +(define-record-type* <firewall-configuration>
> + firewall-configuration make-firewall-configuration
> + firewall-configuration?
> + (tcp firewall-configuration-tcp
> + (default '()))
> + (udp firewall-configuration-udp
> + (default '())))
> +
> +(define (firewall-configuration->file tcp udp)
> + "Return the iptables rules from the ports list"
> + (computed-file
> + "firewall-generated-rules"
> + (with-imported-modules '((guix build utils))
> + #~(begin
> + (use-modules (guix build utils)
> + (ice-9 match))
> + (call-with-output-file #$output
> + (lambda (out)
> + (display "\
> +*filter
> +:INPUT DROP
> +:FORWARD DROP
> +:OUTPUT ACCEPT
> +-A INPUT -i lo -j ACCEPT
> +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n" out)
> +
> + ;; tcp rules
> + (when (not (null? (list #$@tcp)))
> + (format out "\
> +~{-A INPUT -p tcp --dport ~a -j ACCEPT~%~}"
> + (list #$@tcp)))
> +
> + ;; udp rules
> + (when (not (null? (list #$@udp)))
> + (format out "\
> +~{-A INPUT -p udp --dport ~a -j ACCEPT~%~}"
> + (list #$@udp)))
> +
> + (display "COMMIT\n" out)
> + #t))))))

I'm not an iptables expert but does this config block/open IPv4 as well
as IPv6?

Toggle quote (30 lines)
> +(define firewall-shepherd-service
> + (match-lambda
> + (($ <firewall-configuration> tcp udp)
> + (let* ((iptables-restore (file-append iptables "/sbin/iptables-restore"))
> + (ip6tables-restore (file-append iptables "/sbin/ip6tables-restore"))
> + (ruleset (firewall-configuration->file tcp udp)))
> + (shepherd-service
> + (documentation "Easy firewall management")
> + (provision '(firewall))
> + (start #~(lambda _
> + (invoke #$iptables-restore #$ruleset)
> + (invoke #$ip6tables-restore #$ruleset)))
> + (stop #~(lambda _
> + (invoke #$iptables-restore #$ruleset)
> + (invoke #$ip6tables-restore #$ruleset))))))))
> +
> +(define firewall-service-type
> + (service-type
> + (name 'firewall)
> + (description
> + "Run @command{iptables-restore}, setting up the specified rules.")
> + (extensions
> + (list (service-extension shepherd-root-service-type
> + (compose list firewall-shepherd-service))))))
> +
> +
> ;;; networking.scm ends here
>
>
>
S
S
Solene Rapenne wrote on 13 Jun 2021 00:13
(name . Jonathan Brielmaier)(address . jonathan.brielmaier@web.de)(address . 48975@debbugs.gnu.org)
20210613001358.3cc67453@daru.lan
On Sat, 12 Jun 2021 21:59:53 +0200
Jonathan Brielmaier <jonathan.brielmaier@web.de>:

Toggle quote (30 lines)
> On 12.06.21 19:19, Solene Rapenne via Guix-patches via wrote:
> > Hello,
> >
> > I wrote a new firewall service, I already wrote an email to guix-devel
> > about it and I've been suggested to submit it here.
> >
> > The idea is to propose an easy way to manage your firewall. On a
> > personal computer or a server with no fancy network, you certainly want
> > to block access from the outside to all the ports except a few ones.
>
> Hi Solene,
>
> that is a really good idea. So I could get rid of my growing lines of
> plain iptables in my Guix config :)
>
> > The configuration looks like this, currently it only supports TCP and
> > UDP ports. Maybe NAT could be added later or other feature, I'm opened
> > to suggestions.
> >
> > (service firewall-service-type
> > (firewall-configuration
> > (udp '(53))
> > (tcp '(22 70 1965))))
>
> I think we could improve the syntax as to be honest I'm unsure if the
> listed ports are the open or the closed ones.
>
> Maybe we could call this service simple-firewall-service-type or
> something along this.

hello, thanks a lot for your feedback.

I have no argument for a rename, as long as it's understandable.
As it's simple, I like simple-firewall.

Do you think this would be easier to understand by adding "open"
to the names?

(service simple-firewall-service-type
(simple-firewall-configuration
(open-udp '(53))
(open-tcp '(22 ...))))

I think we must decided if ICMP is allowed by default or not and
the syntax to enable/disable it. Maybe this? I would disable it by
default.

(allow-icmp? #t)

If you stop simple-firewall with the current code, it will block
every inbound ports, I'm not sure if it's the correct way to proceed, I suppose
it should flush absolutely everything.

To match most simple use case, a simple NAT and port redirection
could be done too.

;; do NAT on eth0 and set the according sysctl
(nat-on "eth0")

;; redirect incoming connections on ports 22 and 8080 to another box
(redirect '((22 "192.168.1.50:22")
(8080 "192.168.1.50:80"))
Toggle quote (12 lines)
> >
> > Here is the code, I took bits from iptables as a base and then used the
> > Tor service way to generate the configuration file.
> >
> > diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
> > index 87b3d754a3..d311f95448 100644
> > --- a/gnu/services/networking.scm
> > +++ b/gnu/services/networking.scm
>
> You should add a copyright line for yourself at the top of the file.
>

I've been told it's not mandatory. I have no issue adding it though.

I found a ^L character at many paces in networking.scm, I don't
know if its appearance is legit or not. I think it's a garbage
character that got copy/pasted over and over. I copied it just in
case.

Toggle quote (6 lines)
> >
> > +
> > +;;;
> > +;;; Firewall
> > +;;;
> > +
A
A
Arun Isaac wrote on 13 Jun 2021 11:29
(name . Jonathan Brielmaier)(address . jonathan.brielmaier@web.de)
87czsqqfic.fsf@systemreboot.net
Hi Solene,

Thanks for the great work! I wrote the iptables service in the hope of
some day extending it to something like this, but you've beaten me to
it! :-) Some feedback follows.

Your implementation duplicates some of the code in the iptables
service. How about making it simply /extend/ the iptables service with
the generated rules? This way, you won't have to handle the start/stop
iptables-restore gexps. The iptables service, when stopped, already has
the correct behaviour of opening all ports.

WDYT?

Regards,
Arun
-----BEGIN PGP SIGNATURE-----

iQFPBAEBCAA5FiEEf3MDQ/Lwnzx3v3nTLiXui2GAK7MFAmDFz/sbHGFydW5pc2Fh
Y0BzeXN0ZW1yZWJvb3QubmV0AAoJEC4l7othgCuzoY8IAL/8pXaEaPSHe9Td4oDr
PPfa2ffmb6cDTydntl0vUfOz2Og+q3MGk3j2IdQWlGRsUqbOZp5dCaV57kPBr3I+
OKfbWw0Vq1uJ1fYR2WySP/FR4Ib57n+uG4Yr8+jVXZqSIwhcO1rx9E2ouZ1v+Dde
L6XaN0BqB+9clySZ4BMKEcOe+NcAjhWPMLMOHuj17bKaQqOy15jrKJwoVclkIKyo
Vlh0RvMZK4tnYOqxzBgWp1BMOlLbM2FNCtgwLFO57kZ/cuFqNNkthvxRl+j0E7PE
K2cD7gtlTFNl/rBR5GieSmV7mUkpMLhgFHF+LkRKkG98rWDmx8B4rsOX6KU2JxZr
/6w=
=Jj+K
-----END PGP SIGNATURE-----

A
A
antlers wrote on 4 Nov 2022 08:25
[PATCH] gnu: simple-firewall-service: Add a simple service wrapping iptables
(address . 48975@debbugs.gnu.org)(name . antlers)(address . antlers@luris.net)
20221104072550.32038-1-autumnalantlers@gmail.com
From: antlers <antlers@luris.net>

* gnu/services/networking.scm (simple-firewall-service): Add.
(iptables-service): Allow a crude sort of service extension.

I tried out a keyword-based syntax:
```
(simple-firewall-configuration
(allow-forwarding? #t)
(allowed-ports '(#:both 51234
#:tcp 80 443
#:udp 4444))
```
But kept the more verbose tcp and udp fields because I don't want
people to have to use quasiquotes to splice in evaluated port-numbers
after the keywords.

I like the suggestion that there should be a field for redirecting
packets, whether to loopback or another box, as it took me a while to
learn about eg. masquerading last time I needed to set something like
that up. Not sure what command would be equivalent to the NAT
suggestion?

I guess nftables has superseded iptables, but I'm not as familiar with
it? Perhaps I can add it as a second back-end in the future. My
primary concern right now is a pure Scheme interface for networking
configuration; most notably via service inheritance! Simple-firewall
now lets you open ports via extensions in other services; in order for
this option to be widely available, perhaps it's the
{nf,ip}tables-services that should be extensible? It's a tricky
problem atm because we don't really want services that need ports
depending on a specific backend, there are existing API's, they use
plain-file's over structs or strings, and rule orders need to be
really specific/coordinated. Idk, maybe that isn't something we really
want in the first place, but it sure feels good from a configuration /
organizational point-of-view. Happy to tweak this again if anyone has
ideas.
---
gnu/services/networking.scm | 79 ++++++++++++++++++++++++++++++++++++-
1 file changed, 77 insertions(+), 2 deletions(-)

Toggle diff (111 lines)
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 19aba8c266..0866c10b34 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -18,6 +18,8 @@
;;; Copyright © 2021 Christine Lemmer-Webber <cwebber@dustycloud.org>
;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
+;;; Copyright © 2021 Solene Rapenne
+;;; Copyright © 2022 antlers <autumnalantlers@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -225,7 +227,11 @@ (define-module (gnu services networking)
keepalived-configuration
keepalived-configuration?
- keepalived-service-type))
+ keepalived-service-type
+
+ simple-firewall-service-type
+ simple-firewall-configuration
+ simple-firewall-configuration?))
;;; Commentary:
;;;
@@ -1721,7 +1727,13 @@ (define iptables-service-type
"Run @command{iptables-restore}, setting up the specified rules.")
(extensions
(list (service-extension shepherd-root-service-type
- (compose list iptables-shepherd-service))))))
+ (compose list iptables-shepherd-service))))
+ ;; Some services extend iptables, but such services are mutually exclusive,
+ ;; and should be either extended directly or superseded entirely depending
+ ;; the complexity of your desired configuration.
+ (compose identity)
+ (extend (lambda (config entries)
+ (last entries)))))
;;;
;;; nftables
@@ -2186,4 +2198,67 @@ (define keepalived-service-type
"Run @uref{https://www.keepalived.org/, Keepalived}
routing software.")))
+
+;;;
+;;; Simple Firewall
+;;;
+
+(define-record-type* <simple-firewall-configuration>
+ simple-firewall-configuration make-simple-firewall-configuration
+ simple-firewall-configuration?
+ (allow-icmp? simple-firewall-configuration-allow-icmp?
+ (default #f))
+ (allow-forwarding? simple-firewall-configuration-allow-forwarding?
+ (default #f))
+
+ (open-tcp-ports simple-firewall-configuration-open-tcp-ports
+ (default '()))
+ (open-udp-ports simple-firewall-configuration-open-udp-ports
+ (default '())))
+
+(define simple-firewall-configuration->iptables-rules
+ (match-lambda
+ (($ <simple-firewall-configuration>
+ allow-icmp? allow-forwarding?
+ open-tcp-ports open-udp-ports)
+ (string-join
+ `("*filter"
+ ":INPUT DROP"
+ ,(string-append ":FORWARD " (if allow-forwarding? "ACCEPT" "DROP"))
+ ":OUTPUT ACCEPT"
+ "-A INPUT -i lo -j ACCEPT"
+ "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+ ,@(unless allow-icmp? '("-A INPUT -p icmp -j DROP"
+ "-A INPUT -p icmpv6 -j DROP"))
+ ,@(map (cut string-append "-A INPUT -p tcp --dport " <> " -j ACCEPT") (map number->string open-tcp-ports))
+ ,@(map (cut string-append "-A INPUT -p udp --dport " <> " -j ACCEPT") (map number->string open-udp-ports))
+ "-A INPUT -j REJECT --reject-with icmp-port-unreachable"
+ "COMMIT")
+ "\n" 'suffix))))
+
+(define (simple-firewall-configuration->iptables-configuration config)
+ (let ((rules (simple-firewall-configuration->iptables-rules config)))
+ (iptables-configuration
+ (ipv4-rules (plain-file "iptables.rules" rules))
+ (ipv6-rules (plain-file "ip6tables.rules" rules)))))
+
+(define simple-firewall-service-type
+ (service-type
+ (name 'simple-firewall)
+ (description
+ "Run @command{iptables-restore}, setting up the specified rules.")
+ (extensions
+ (list (service-extension iptables-service-type
+ simple-firewall-configuration->iptables-configuration)))
+ (compose concatenate)
+ (extend (lambda (config entries)
+ (simple-firewall-configuration
+ (inherit config)
+ (open-tcp-ports
+ (concatenate (map simple-firewall-configuration-open-tcp-ports
+ (cons config entries))))
+ (open-udp-ports
+ (concatenate (map simple-firewall-configuration-open-udp-ports
+ (cons config entries)))))))))
+
;;; networking.scm ends here
--
2.38.0
A
A
antlers wrote on 6 Nov 2022 21:39
(address . 48975@debbugs.gnu.org)
CAFxNT+eL9PWbVrdhj3RRH+3MDjU_oi5rkxSRr+SMKQf7OV5EWg@mail.gmail.com
After googling around a bit it looks like the `filter*` and `COMMIT`
commands in iptables configurations do in fact form a transactional block
that would allow us to accept additional plain-files via extensions and
just concatenate them, it's that's a road we want to go down

On Fri, Nov 4, 2022 at 12:26 AM antlers <autumnalantlers@gmail.com> wrote:

Toggle quote (162 lines)
> From: antlers <antlers@luris.net>
>
> * gnu/services/networking.scm (simple-firewall-service): Add.
> (iptables-service): Allow a crude sort of service extension.
>
> I tried out a keyword-based syntax:
> ```
> (simple-firewall-configuration
> (allow-forwarding? #t)
> (allowed-ports '(#:both 51234
> #:tcp 80 443
> #:udp 4444))
> ```
> But kept the more verbose tcp and udp fields because I don't want
> people to have to use quasiquotes to splice in evaluated port-numbers
> after the keywords.
>
> I like the suggestion that there should be a field for redirecting
> packets, whether to loopback or another box, as it took me a while to
> learn about eg. masquerading last time I needed to set something like
> that up. Not sure what command would be equivalent to the NAT
> suggestion?
>
> I guess nftables has superseded iptables, but I'm not as familiar with
> it? Perhaps I can add it as a second back-end in the future. My
> primary concern right now is a pure Scheme interface for networking
> configuration; most notably via service inheritance! Simple-firewall
> now lets you open ports via extensions in other services; in order for
> this option to be widely available, perhaps it's the
> {nf,ip}tables-services that should be extensible? It's a tricky
> problem atm because we don't really want services that need ports
> depending on a specific backend, there are existing API's, they use
> plain-file's over structs or strings, and rule orders need to be
> really specific/coordinated. Idk, maybe that isn't something we really
> want in the first place, but it sure feels good from a configuration /
> organizational point-of-view. Happy to tweak this again if anyone has
> ideas.
> ---
> gnu/services/networking.scm | 79 ++++++++++++++++++++++++++++++++++++-
> 1 file changed, 77 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
> index 19aba8c266..0866c10b34 100644
> --- a/gnu/services/networking.scm
> +++ b/gnu/services/networking.scm
> @@ -18,6 +18,8 @@
> ;;; Copyright © 2021 Christine Lemmer-Webber <cwebber@dustycloud.org>
> ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
> ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
> +;;; Copyright © 2021 Solene Rapenne
> +;;; Copyright © 2022 antlers <autumnalantlers@gmail.com>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -225,7 +227,11 @@ (define-module (gnu services networking)
>
> keepalived-configuration
> keepalived-configuration?
> - keepalived-service-type))
> + keepalived-service-type
> +
> + simple-firewall-service-type
> + simple-firewall-configuration
> + simple-firewall-configuration?))
>
> ;;; Commentary:
> ;;;
> @@ -1721,7 +1727,13 @@ (define iptables-service-type
> "Run @command{iptables-restore}, setting up the specified rules.")
> (extensions
> (list (service-extension shepherd-root-service-type
> - (compose list iptables-shepherd-service))))))
> + (compose list iptables-shepherd-service))))
> + ;; Some services extend iptables, but such services are mutually
> exclusive,
> + ;; and should be either extended directly or superseded entirely
> depending
> + ;; the complexity of your desired configuration.
> + (compose identity)
> + (extend (lambda (config entries)
> + (last entries)))))
>
> ;;;
> ;;; nftables
> @@ -2186,4 +2198,67 @@ (define keepalived-service-type
> "Run @uref{https://www.keepalived.org/, Keepalived}
> routing software.")))
>
> +
> +;;;
> +;;; Simple Firewall
> +;;;
> +
> +(define-record-type* <simple-firewall-configuration>
> + simple-firewall-configuration make-simple-firewall-configuration
> + simple-firewall-configuration?
> + (allow-icmp? simple-firewall-configuration-allow-icmp?
> + (default #f))
> + (allow-forwarding? simple-firewall-configuration-allow-forwarding?
> + (default #f))
> +
> + (open-tcp-ports simple-firewall-configuration-open-tcp-ports
> + (default '()))
> + (open-udp-ports simple-firewall-configuration-open-udp-ports
> + (default '())))
> +
> +(define simple-firewall-configuration->iptables-rules
> + (match-lambda
> + (($ <simple-firewall-configuration>
> + allow-icmp? allow-forwarding?
> + open-tcp-ports open-udp-ports)
> + (string-join
> + `("*filter"
> + ":INPUT DROP"
> + ,(string-append ":FORWARD " (if allow-forwarding? "ACCEPT"
> "DROP"))
> + ":OUTPUT ACCEPT"
> + "-A INPUT -i lo -j ACCEPT"
> + "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
> + ,@(unless allow-icmp? '("-A INPUT -p icmp -j DROP"
> + "-A INPUT -p icmpv6 -j DROP"))
> + ,@(map (cut string-append "-A INPUT -p tcp --dport " <> " -j
> ACCEPT") (map number->string open-tcp-ports))
> + ,@(map (cut string-append "-A INPUT -p udp --dport " <> " -j
> ACCEPT") (map number->string open-udp-ports))
> + "-A INPUT -j REJECT --reject-with icmp-port-unreachable"
> + "COMMIT")
> + "\n" 'suffix))))
> +
> +(define (simple-firewall-configuration->iptables-configuration config)
> + (let ((rules (simple-firewall-configuration->iptables-rules config)))
> + (iptables-configuration
> + (ipv4-rules (plain-file "iptables.rules" rules))
> + (ipv6-rules (plain-file "ip6tables.rules" rules)))))
> +
> +(define simple-firewall-service-type
> + (service-type
> + (name 'simple-firewall)
> + (description
> + "Run @command{iptables-restore}, setting up the specified rules.")
> + (extensions
> + (list (service-extension iptables-service-type
> +
> simple-firewall-configuration->iptables-configuration)))
> + (compose concatenate)
> + (extend (lambda (config entries)
> + (simple-firewall-configuration
> + (inherit config)
> + (open-tcp-ports
> + (concatenate (map
> simple-firewall-configuration-open-tcp-ports
> + (cons config entries))))
> + (open-udp-ports
> + (concatenate (map
> simple-firewall-configuration-open-udp-ports
> + (cons config entries)))))))))
> +
> ;;; networking.scm ends here
> --
> 2.38.0
>
>
Attachment: file
?