From debbugs-submit-bounces@debbugs.gnu.org Sat Jun 12 18:14:09 2021 Received: (at 48975) by debbugs.gnu.org; 12 Jun 2021 22:14:09 +0000 Received: from localhost ([127.0.0.1]:42310 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lsBtJ-0001GP-GI for submit@debbugs.gnu.org; Sat, 12 Jun 2021 18:14:09 -0400 Received: from perso.pw ([163.172.223.238]:9240) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lsBtH-0001GF-3w for 48975@debbugs.gnu.org; Sat, 12 Jun 2021 18:14:07 -0400 Received: from perso.pw (localhost [127.0.0.1]) by perso.pw (OpenSMTPD) with ESMTP id ad4f2f7f; Sun, 13 Jun 2021 00:14:03 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=perso.pw; h=date:from:to :cc:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; s=1337; bh=d8x6QHXIILzW qdmMhUeCTODnc+4=; b=OU+cDcnX/F31QumLj3MCfcJPDXuICHTaglGXOEb5NOKZ VTBDG3bRTivxzbV9sQJH6KVA+5DXFEkfJnQzGxgOvQXhge20IbVFqJ6CM+Nykj48 VTd3snUQaOz7638+3MKqIzkK0UxFW2shsjRrbbhVSU1WLILHX/Co63k1wJiFQ0c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=perso.pw; h=date:from:to:cc :subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; q=dns; s=1337; b=cw7oNQ d/QMVk+7y/Pud9Idx/q/uGocIiQ8/U9kjWbtyLCmlhEZgFbk1bPQhqFu1GHSFoFB ndfGBWDjvVm26S3iaTBqPGujPRsP1DYZnEBfPOKkq+5mR9/o3ZWrdQigCwPeUK2l wcDyDZvr0sSFTAxjVqTycoql/78U677BjPZwo= X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on perso.pw X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham autolearn_force=no version=3.4.5 Received: from daru.lan (176-154-164-34.abo.bbox.fr [176.154.164.34]) by perso.pw (OpenSMTPD) with ESMTPSA id c01f1aca (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Sun, 13 Jun 2021 00:14:00 +0200 (CEST) Date: Sun, 13 Jun 2021 00:13:58 +0200 From: Solene Rapenne To: Jonathan Brielmaier Subject: Re: [bug#48975] New firewall service Message-ID: <20210613001358.3cc67453@daru.lan> In-Reply-To: <73ab1edf-5917-a01f-66b9-816c43899020@web.de> References: <20210612191959.6394494e@perso.pw> <73ab1edf-5917-a01f-66b9-816c43899020@web.de> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 48975 Cc: 48975@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On Sat, 12 Jun 2021 21:59:53 +0200 Jonathan Brielmaier : > On 12.06.21 19:19, Solene Rapenne via Guix-patches via wrote: > > Hello, > > > > I wrote a new firewall service, I already wrote an email to guix-devel > > about it and I've been suggested to submit it here. > > > > The idea is to propose an easy way to manage your firewall. On a > > personal computer or a server with no fancy network, you certainly want > > to block access from the outside to all the ports except a few ones. =20 >=20 > Hi Solene, >=20 > that is a really good idea. So I could get rid of my growing lines of > plain iptables in my Guix config :) >=20 > > The configuration looks like this, currently it only supports TCP and > > UDP ports. Maybe NAT could be added later or other feature, I'm opened > > to suggestions. > > > > (service firewall-service-type > > (firewall-configuration > > (udp '(53)) > > (tcp '(22 70 1965)))) =20 >=20 > I think we could improve the syntax as to be honest I'm unsure if the > listed ports are the open or the closed ones. >=20 > Maybe we could call this service simple-firewall-service-type or > something along this. hello, thanks a lot for your feedback. I have no argument for a rename, as long as it's understandable. As it's simple, I like simple-firewall. Do you think this would be easier to understand by adding "open" to the names? (service simple-firewall-service-type (simple-firewall-configuration (open-udp '(53)) (open-tcp '(22 ...)))) I think we must decided if ICMP is allowed by default or not and the syntax to enable/disable it. Maybe this? I would disable it by default. (allow-icmp? #t) If you stop simple-firewall with the current code, it will block every inbound ports, I'm not sure if it's the correct way to proceed, I sup= pose it should flush absolutely everything. To match most simple use case, a simple NAT and port redirection could be done too. ;; do NAT on eth0 and set the according sysctl (nat-on "eth0") ;; redirect incoming connections on ports 22 and 8080 to another box (redirect '((22 "192.168.1.50:22") (8080 "192.168.1.50:80")) =20 > > > > Here is the code, I took bits from iptables as a base and then used the > > Tor service way to generate the configuration file. > > > > diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm > > index 87b3d754a3..d311f95448 100644 > > --- a/gnu/services/networking.scm > > +++ b/gnu/services/networking.scm =20 >=20 > You should add a copyright line for yourself at the top of the file. >=20 I've been told it's not mandatory. I have no issue adding it though. I found a ^L character at many paces in networking.scm, I don't know if its appearance is legit or not. I think it's a garbage character that got copy/pasted over and over. I copied it just in case. > > > > +=0C > > +;;; > > +;;; Firewall > > +;;; > > +