Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/zone-firewall: initial version (DRAFT) #103152

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

nixos/zone-firewall: initial version (DRAFT) #103152

wants to merge 1 commit into from

Conversation

thequux
Copy link
Contributor

@thequux thequux commented Nov 8, 2020

This adds a zone-based firewall configured using Nix and backed by
nftables. It is ideal for use on routers and servers, and useful for
any system with more than one network connection. At the time of this
commit, it has already been used in production on multiple machines
for several months.

Motivation for this change

The existing nix firewall is very rudimentary; it is only suitable for systems with a single interface, or for which all interfaces should be treated equally. Anything more complex needs to be handled via hand-written iptables scripts (which, admittedly, can be maintained using nix).

This new zone-based firewall allows declaratively adding rules that apply to any desired combination of zones (where a "zone" is some combination of interfaces or the local machine). Each rule has an attached priority, which allows the firewall rules for a given service to be kept next to the configuration for the service, while still being able to rely on some rules being evaluated before other rules.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

This PR is intended as a draft; it is still missing (and desperately needs) documentation and tests. I will write documentation in the coming weeks, but I'm not particularly sure how to test this module and could use some advice.

This started out being developed in thequux/nix-zone-firewall; the README there is a decent starting point for seeing how to use it, but it hasn't been updated for significant configuration changes in the last commit of that repo.

@thequux
nixos/zone-firewall: initial version
0155566 
This adds a zone-based firewall configured using Nix and backed by
nftables.  It is ideal for use on routers and servers, and useful for
any system with more than one network connection. At the time of this
commit, it has already been used in production on multiple machines
for several months.
@thequux thequux marked this pull request as draft November 9, 2020 14:39
@stale
Copy link

stale bot commented Jun 4, 2021

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jun 4, 2021
@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Mar 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
2.status: merge conflict 6.topic: nixos 8.has: module (update)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@thequux @wegank