Skip to content

sshd: provide option to disable firewall altering #34008

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

sshd: provide option to disable firewall altering #34008

wants to merge 1 commit into from
+9 −1

Conversation

lschuermann
Copy link
Member

@lschuermann lschuermann commented Jan 18, 2018
edited by adisbladis
Loading

Motivation for this change

It probably is a good thing, that sshd opens it's ports automatically. In the current state this however also means, that there is no way to manually close these ports again. This PR therefore provides an option to disable automatic opening of sshd ports, if one would want so.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

Sorry, something went wrong.

@lschuermann
Copy link
Member Author

lschuermann commented Jan 18, 2018
edited
Loading

There also are lots more modules that have this kind of behavior. Do you think it would be a good idea in general, to provide an option allowing altering the firewall?
If so, would it be best to do possibly breaking changes and require the user to explicitly allow creation of firewall rules from now on, or just have the option to change the current behavior?

This is probably related to #19504.

My proposed change is basically the same as in this file: nixos/modules/services/monitoring/prometheus/varnish-exporter.nix

@GrahamcOfBorg GrahamcOfBorg added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Jan 18, 2018
@adisbladis adisbladis changed the title sudo: provide option to disable firewall altering ssh: provide option to disable firewall altering Jan 18, 2018
@adisbladis adisbladis changed the title ssh: provide option to disable firewall altering sshd: provide option to disable firewall altering Jan 18, 2018
@adisbladis
Copy link
Member

adisbladis commented Jan 18, 2018
edited
Loading

Please change the commit message to sshd: ... :)

@lschuermann lschuermann force-pushed the firewall-no-open-ports branch from 9634a02 to 0e12005 Compare January 18, 2018 14:46
@lschuermann lschuermann force-pushed the firewall-no-open-ports branch from 0e12005 to 0a78a38 Compare January 18, 2018 14:48
@adisbladis
Copy link
Member

Pushed in c61a9df

Thank you!

@adisbladis adisbladis closed this Jan 18, 2018
@lschuermann lschuermann deleted the firewall-no-open-ports branch October 14, 2018 09:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@lschuermann @adisbladis @GrahamcOfBorg