nixos/zone-firewall: initial version (DRAFT) #103152
Draft
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds a zone-based firewall configured using Nix and backed by
nftables. It is ideal for use on routers and servers, and useful for
any system with more than one network connection. At the time of this
commit, it has already been used in production on multiple machines
for several months.
Motivation for this change
The existing nix firewall is very rudimentary; it is only suitable for systems with a single interface, or for which all interfaces should be treated equally. Anything more complex needs to be handled via hand-written iptables scripts (which, admittedly, can be maintained using nix).
This new zone-based firewall allows declaratively adding rules that apply to any desired combination of zones (where a "zone" is some combination of interfaces or the local machine). Each rule has an attached priority, which allows the firewall rules for a given service to be kept next to the configuration for the service, while still being able to rely on some rules being evaluated before other rules.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)This PR is intended as a draft; it is still missing (and desperately needs) documentation and tests. I will write documentation in the coming weeks, but I'm not particularly sure how to test this module and could use some advice.
This started out being developed in thequux/nix-zone-firewall; the README there is a decent starting point for seeing how to use it, but it hasn't been updated for significant configuration changes in the last commit of that repo.