nixos/sshd: disable openFirewall by default #81490
Conversation
There was a problem hiding this comment.
By forcing the user to choose a value this satisfies the argument against unknowingly locking people out of their systems, as well as the argument for a more secure default 👍
If there were to be any change to this PR I might suggest that since this will impact a large number of users we might add an assertion which explains the situation nicer than the existing openFirewall referenced but not declared error, which isn't overly nice or clear.
|
We should see if @edolstra finds this to be an acceptable compromise. This satisfies issues he has raised in the past, so I think there is a chance he would be accepting of this. |
bb2020
force-pushed
the
ssh-fw
branch
2 times, most recently
from
d3bb37d
to
95d0e82
Compare
|
This would be okay, though I still think that the case where you want sshd enabled but you don't want it exposed in the firewall is a pretty rare one. So the current situation has my preference. |
|
One possible scenario would be having two interfaces and assigning one of them as trusted interface with |
This is my scenario. I set |
|
Of course you are right. This is a rare situation. However SSH is a dangerous thing when it is unchecked by firewall. I think we should maximize security whenever possible. |
|
if I'm not mistaken, it'll add an extra not that obvious step to the installation process - not only enable sshd but open port for it. |
|
@Frostman posting a clear message to the screen in an assertion if the user hasn't explicitly opened the firewall will clarify any confusion. All services except Personally I'm somewhat indifferent to this PR, but the change has been requested a number of times and it seems like a reasonable solution to me. Since @edolstra seems to find this solution acceptable enough maybe we just wait and see more opinions 🤷♂️ |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/ssh-openfirewall-exception/12066/1 |
|
AFAIU you won't if you didn't set |
|
You are correct @Ma27 - this PR forces the user to explicitly set a value... so no risk of breakage. |
So does this mean that the default configuration as it is today, made by Edit: Ah, I misremembered. You have to manually enable SSH anyway, so this just makes it a required option. I see. |
|
However, what about the installer image? SSH is enabled on that out-of-the-box. This is nice behavior in my view, because it allows easy provisioning, so even if this is merged, |
I tried to achieve that here. I am not sure if it is enough. |
|
I marked this as stale due to inactivity. → More info |
stale
bot
added
the
2.status: stale
stale
bot
removed
the
2.status: stale
stale
bot
added
the
2.status: stale
stale
bot
removed
the
2.status: stale
infinisil
added
the
significant
wegank
added
2.status: stale
stale
bot
removed
the
2.status: stale
bb2020
force-pushed
the
ssh-fw
branch
3 times, most recently
from
69b3d09
to
a895f9c
Compare
Opening SSH port on firewall is a security risk and it should be blocked by default.
I thought this was an urgent issue so I didn't use proper branching and had to create a new PR.
Sorry for the duplicate.
Motivation for this change
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)