From unknown Fri Jun 13 11:48:09 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#48975] New firewall service Resent-From: Solene Rapenne Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 12 Jun 2021 17:21:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 48975 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 48975@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16235184178809 (code B ref -1); Sat, 12 Jun 2021 17:21:02 +0000 Received: (at submit) by debbugs.gnu.org; 12 Jun 2021 17:20:17 +0000 Received: from localhost ([127.0.0.1]:41982 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ls7Iu-0002I1-KB for submit@debbugs.gnu.org; Sat, 12 Jun 2021 13:20:16 -0400 Received: from lists.gnu.org ([209.51.188.17]:41456) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ls7It-0002Hu-CU for submit@debbugs.gnu.org; Sat, 12 Jun 2021 13:20:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39032) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ls7It-00027k-49 for guix-patches@gnu.org; Sat, 12 Jun 2021 13:20:15 -0400 Received: from perso.pw ([163.172.223.238]:29991) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ls7Ip-0003J8-To for guix-patches@gnu.org; Sat, 12 Jun 2021 13:20:14 -0400 Received: from perso.pw (localhost [127.0.0.1]) by perso.pw (OpenSMTPD) with ESMTP id ae87e3e5 for ; Sat, 12 Jun 2021 19:20:05 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=perso.pw; h=date:from:to :subject:message-id:mime-version:content-type :content-transfer-encoding; s=1337; bh=BMUX1hiSWHT9VDrXpZRKW5f7U ZA=; b=kdP2oNesEKBbrp8+c0IcDoWLwyThWKh1KPL2zzDviVDXqIj4uc5JSIGvr 7RWi1I9SqeqOSGYDoGJMZ4tO9gezj0AiJ1Ok5cHAOj9Gm7WNjUBVbTdQd5jC1C9x 7QsHsT6duXQGmYkL+XfR1hYkHoFI2V2pQd4sLjF68sOjECiTDE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=perso.pw; h=date:from:to :subject:message-id:mime-version:content-type :content-transfer-encoding; q=dns; s=1337; b=MkmlECIBEuqvTThbAvN zVSCE/0P1n98AiXY2ug3U7ArR7Y7fXdqzfypmQxJAljm5spZIAOjs+TZ8FOStnRI TGP1/zorODxubwYEd4Jus8GnKYXTrUpyw/Dtb6m0oi1zX33YX/wdxEh9WIOdofco USIUQDirAPUji2JOBDSoEAlA= X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on perso.pw X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.5 Received: from localhost (176-154-164-34.abo.bbox.fr [176.154.164.34]) by perso.pw (OpenSMTPD) with ESMTPSA id 556dfa08 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) for ; Sat, 12 Jun 2021 19:20:00 +0200 (CEST) Date: Sat, 12 Jun 2021 19:19:59 +0200 From: Solene Rapenne Message-ID: <20210612191959.6394494e@perso.pw> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=163.172.223.238; envelope-from=solene@perso.pw; helo=perso.pw X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) Hello, I wrote a new firewall service, I already wrote an email to guix-devel about it and I've been suggested to submit it here. The idea is to propose an easy way to manage your firewall. On a personal computer or a server with no fancy network, you certainly want to block access from the outside to all the ports except a few ones. The configuration looks like this, currently it only supports TCP and UDP ports. Maybe NAT could be added later or other feature, I'm opened to suggestions. (service firewall-service-type (firewall-configuration (udp '(53)) (tcp '(22 70 1965)))) Here is the code, I took bits from iptables as a base and then used the Tor service way to generate the configuration file. diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 87b3d754a3..d311f95448 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -221,7 +221,11 @@ =20 keepalived-configuration keepalived-configuration? - keepalived-service-type)) + keepalived-service-type + + firewall-service-type + firewall-configuration + firewall-configuration?)) =20 ;;; Commentary: ;;; @@ -2190,4 +2194,76 @@ of the IPFS peer-to-peer storage network."))) "Run @uref{https://www.keepalived.org/, Keepalived} routing software."))) =20 +=0C +;;; +;;; Firewall +;;; + +(define-record-type* + firewall-configuration make-firewall-configuration + firewall-configuration? + (tcp firewall-configuration-tcp + (default '())) + (udp firewall-configuration-udp + (default '()))) + +(define (firewall-configuration->file tcp udp) + "Return the iptables rules from the ports list" + (computed-file + "firewall-generated-rules" + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils) + (ice-9 match)) + (call-with-output-file #$output + (lambda (out) + (display "\ +*filter +:INPUT DROP +:FORWARD DROP +:OUTPUT ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n" out) + + ;; tcp rules + (when (not (null? (list #$@tcp))) + (format out "\ +~{-A INPUT -p tcp --dport ~a -j ACCEPT~%~}" + (list #$@tcp))) + + ;; udp rules + (when (not (null? (list #$@udp))) + (format out "\ +~{-A INPUT -p udp --dport ~a -j ACCEPT~%~}" + (list #$@udp))) + + (display "COMMIT\n" out) + #t)))))) + +(define firewall-shepherd-service + (match-lambda + (($ tcp udp) + (let* ((iptables-restore (file-append iptables "/sbin/iptables-restor= e")) + (ip6tables-restore (file-append iptables "/sbin/ip6tables-rest= ore")) + (ruleset (firewall-configuration->file tcp udp))) + (shepherd-service + (documentation "Easy firewall management") + (provision '(firewall)) + (start #~(lambda _ + (invoke #$iptables-restore #$ruleset) + (invoke #$ip6tables-restore #$ruleset))) + (stop #~(lambda _ + (invoke #$iptables-restore #$ruleset) + (invoke #$ip6tables-restore #$ruleset)))))))) + +(define firewall-service-type + (service-type + (name 'firewall) + (description + "Run @command{iptables-restore}, setting up the specified rules.") + (extensions + (list (service-extension shepherd-root-service-type + (compose list firewall-shepherd-service)))))) + + ;;; networking.scm ends here From unknown Fri Jun 13 11:48:09 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#48975] New firewall service Resent-From: Jonathan Brielmaier Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 12 Jun 2021 20:01:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48975 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Solene Rapenne , 48975@debbugs.gnu.org Received: via spool by 48975-submit@debbugs.gnu.org id=B48975.162352800323806 (code B ref 48975); Sat, 12 Jun 2021 20:01:01 +0000 Received: (at 48975) by debbugs.gnu.org; 12 Jun 2021 20:00:03 +0000 Received: from localhost ([127.0.0.1]:42066 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ls9nW-0006BY-4l for submit@debbugs.gnu.org; Sat, 12 Jun 2021 16:00:03 -0400 Received: from mout.web.de ([212.227.15.14]:41075) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ls9nT-0006Av-UY for 48975@debbugs.gnu.org; Sat, 12 Jun 2021 16:00:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1623527993; bh=1M1mFVxamH/B0FN+Mp1Z61IhNkkjUXonVsH4zdMM2eo=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=Y4I7IoG7b+XxdeR3nx+PoK/AGMJmX3Pb3wCBytddZQLN4hWLKNM8RoFJFMGfFkroc XMzxJ9/1sD2N6R5hM6Jgmq6rEBvsUfTx3c2gufP8ujv3ZkV2TKf9jGtn5s9t0C8xnY sCxMxuo2y6LsbM2oY3pr+SxQcC/O3V92QfGMaHlw= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from [192.168.178.113] ([88.152.185.61]) by smtp.web.de (mrweb003 [213.165.67.108]) with ESMTPSA (Nemesis) id 0MHp7t-1lszo42X6b-003g5b; Sat, 12 Jun 2021 21:59:53 +0200 References: <20210612191959.6394494e@perso.pw> From: Jonathan Brielmaier Message-ID: <73ab1edf-5917-a01f-66b9-816c43899020@web.de> Date: Sat, 12 Jun 2021 21:59:53 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Icedove/78.11.0 MIME-Version: 1.0 In-Reply-To: <20210612191959.6394494e@perso.pw> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: de-DE Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:nmMN95QP0W1fqiaj5+z4PzTek4+6QyVv121+ueBZfTD/0c6z/Hg zQ1GLOwYrYB3Sjzo4FcYHvSll5hsBc9AkYdlBcCxbuX8EuFJeBx7AX1rwdcIVDPc2z2ujzd PswN5YryLaix6pNB9yZ3zmTBmowQmRdjEzAPGymrAdlXm0alNVK1rMXjZK/hDnuPK4PEdw5 ut1O2I1xIVSMxe4x+yNyw== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:p+LBEOeK1SE=:H6ktk0OERDoqw4rEiuTgre sACLDe5fWi29OjqKGBSsf+KolQZQucWE5FUvBje/KAsoZo0a/pfV0Lj/SsLiPyOzeyn4QOReb 1TFJrpYdUZPcjxjwHlxHN9e04ayZwNOobnuWFWcUy1P6wnQUuW31N9HY5i+N+Eo3zcHVMXnYw 2BnvWAPsHGj+jDC+0B7h8X0QEp28Dl0Sa/yYBfaCs/Avl618X+PSkWBYZGy5iJVQxUeYRTcwL gj7yElP2ZeYRQg6cju0w9eRiESpmhlnVNNC8jtmm4jDVaPYa+txD3eDuaPA/VRBMhMHfDAIQv nFyufaKDGV/i2RPxmAQ8ANOS0zRZQYnH62VeC0UH97L//hD9jCgHOTRBUy6kjr9GSNY3d6Ux4 DtyQo3SurosyKLWeNCygBNjmG9PjD5l47XU/yepw1HjDPd6VstBi/HXuUgCMXsIMLsytdw16d h8ojv8SoxEKMpjw/Tlaa93/qQEhrPH/HZK1oyMD05h+GE1gFU0/f6LCnN/lRnSqQFmsFTp5H2 UbzvhJ7rLc/T/HZuqR8VGkyc9/poKxisgwe1yqneOrJVY/Yzcecq6IcBaSMycERC2zVMoPzVR UTGtwI1TxK7M73Kz8qVh/N8IqTMfmzgnoM6I02UWJf6ZRSP1jLAPZ/lvJoU8ZmfAIkFMUF65U 7TOnbzJBOyUVXVZkF71CgcHwNvi5rjDwyh9TtA5IsJuyj4ApoJycCmAPIYO3Za3Y5Ptg5PR9o NfKi1M4+ZpZxguQzmuuo2X8oC/tM+KQb+WxO5NbpvyPoqMg8UirLYqJaKTbIlOxG6mHgxlmzV /+p6ADbTW3Nvg7dtPR/aF/n2/oisGKTKyvWf83yV4xjhL+Vl9w8IGrcE9MZz1TYW5DhHaAB0q e+Rgd1cK99JDXq7X3PCBjsS/j3x4L2fOTUz0O4ieHqptdyrveeYgutTJF7zOclaFy61eXm6Xf Stb6bCwwixnU1Hgew7KWR9o7A5znrBNaVcMP35g29vEK2QJf7VTiHX9NUnVmAdewnhjyiJjMV 0Ln2VNukKdDDoePTX5oJG4zC6k7Gud375IR1mzk2BV8cdQtxIzvCs1GDjo9/PFWMVkfVd/IWz LVwjva4klc52f2iPXE2LvmuNACOGyZeqXcFxFmDRk2d3WCGs1AKIQdttQ== X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On 12.06.21 19:19, Solene Rapenne via Guix-patches via wrote: > Hello, > > I wrote a new firewall service, I already wrote an email to guix-devel > about it and I've been suggested to submit it here. > > The idea is to propose an easy way to manage your firewall. On a > personal computer or a server with no fancy network, you certainly want > to block access from the outside to all the ports except a few ones. Hi Solene, that is a really good idea. So I could get rid of my growing lines of plain iptables in my Guix config :) > The configuration looks like this, currently it only supports TCP and > UDP ports. Maybe NAT could be added later or other feature, I'm opened > to suggestions. > > (service firewall-service-type > (firewall-configuration > (udp '(53)) > (tcp '(22 70 1965)))) I think we could improve the syntax as to be honest I'm unsure if the listed ports are the open or the closed ones. Maybe we could call this service simple-firewall-service-type or something along this. > > Here is the code, I took bits from iptables as a base and then used the > Tor service way to generate the configuration file. > > diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm > index 87b3d754a3..d311f95448 100644 > --- a/gnu/services/networking.scm > +++ b/gnu/services/networking.scm You should add a copyright line for yourself at the top of the file. > @@ -221,7 +221,11 @@ > > keepalived-configuration > keepalived-configuration? > - keepalived-service-type)) > + keepalived-service-type > + > + firewall-service-type > + firewall-configuration > + firewall-configuration?)) > > ;;; Commentary: > ;;; > @@ -2190,4 +2194,76 @@ of the IPFS peer-to-peer storage network."))) > "Run @uref{https://www.keepalived.org/, Keepalived} > routing software."))) > > +=0C > +;;; > +;;; Firewall > +;;; > + > +(define-record-type* > + firewall-configuration make-firewall-configuration > + firewall-configuration? > + (tcp firewall-configuration-tcp > + (default '())) > + (udp firewall-configuration-udp > + (default '()))) > + > +(define (firewall-configuration->file tcp udp) > + "Return the iptables rules from the ports list" > + (computed-file > + "firewall-generated-rules" > + (with-imported-modules '((guix build utils)) > + #~(begin > + (use-modules (guix build utils) > + (ice-9 match)) > + (call-with-output-file #$output > + (lambda (out) > + (display "\ > +*filter > +:INPUT DROP > +:FORWARD DROP > +:OUTPUT ACCEPT > +-A INPUT -i lo -j ACCEPT > +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n" out) > + > + ;; tcp rules > + (when (not (null? (list #$@tcp))) > + (format out "\ > +~{-A INPUT -p tcp --dport ~a -j ACCEPT~%~}" > + (list #$@tcp))) > + > + ;; udp rules > + (when (not (null? (list #$@udp))) > + (format out "\ > +~{-A INPUT -p udp --dport ~a -j ACCEPT~%~}" > + (list #$@udp))) > + > + (display "COMMIT\n" out) > + #t)))))) I'm not an iptables expert but does this config block/open IPv4 as well as IPv6? > +(define firewall-shepherd-service > + (match-lambda > + (($ tcp udp) > + (let* ((iptables-restore (file-append iptables "/sbin/iptables-res= tore")) > + (ip6tables-restore (file-append iptables "/sbin/ip6tables-r= estore")) > + (ruleset (firewall-configuration->file tcp udp))) > + (shepherd-service > + (documentation "Easy firewall management") > + (provision '(firewall)) > + (start #~(lambda _ > + (invoke #$iptables-restore #$ruleset) > + (invoke #$ip6tables-restore #$ruleset))) > + (stop #~(lambda _ > + (invoke #$iptables-restore #$ruleset) > + (invoke #$ip6tables-restore #$ruleset)))))))) > + > +(define firewall-service-type > + (service-type > + (name 'firewall) > + (description > + "Run @command{iptables-restore}, setting up the specified rules.") > + (extensions > + (list (service-extension shepherd-root-service-type > + (compose list firewall-shepherd-service)))= ))) > + > + > ;;; networking.scm ends here > > > From unknown Fri Jun 13 11:48:09 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#48975] New firewall service Resent-From: Solene Rapenne Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 12 Jun 2021 22:15:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48975 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Jonathan Brielmaier Cc: 48975@debbugs.gnu.org Received: via spool by 48975-submit@debbugs.gnu.org id=B48975.16235360494866 (code B ref 48975); Sat, 12 Jun 2021 22:15:01 +0000 Received: (at 48975) by debbugs.gnu.org; 12 Jun 2021 22:14:09 +0000 Received: from localhost ([127.0.0.1]:42310 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lsBtJ-0001GP-GI for submit@debbugs.gnu.org; Sat, 12 Jun 2021 18:14:09 -0400 Received: from perso.pw ([163.172.223.238]:9240) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lsBtH-0001GF-3w for 48975@debbugs.gnu.org; Sat, 12 Jun 2021 18:14:07 -0400 Received: from perso.pw (localhost [127.0.0.1]) by perso.pw (OpenSMTPD) with ESMTP id ad4f2f7f; Sun, 13 Jun 2021 00:14:03 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=perso.pw; h=date:from:to :cc:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; s=1337; bh=d8x6QHXIILzW qdmMhUeCTODnc+4=; b=OU+cDcnX/F31QumLj3MCfcJPDXuICHTaglGXOEb5NOKZ VTBDG3bRTivxzbV9sQJH6KVA+5DXFEkfJnQzGxgOvQXhge20IbVFqJ6CM+Nykj48 VTd3snUQaOz7638+3MKqIzkK0UxFW2shsjRrbbhVSU1WLILHX/Co63k1wJiFQ0c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=perso.pw; h=date:from:to:cc :subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; q=dns; s=1337; b=cw7oNQ d/QMVk+7y/Pud9Idx/q/uGocIiQ8/U9kjWbtyLCmlhEZgFbk1bPQhqFu1GHSFoFB ndfGBWDjvVm26S3iaTBqPGujPRsP1DYZnEBfPOKkq+5mR9/o3ZWrdQigCwPeUK2l wcDyDZvr0sSFTAxjVqTycoql/78U677BjPZwo= X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on perso.pw X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham autolearn_force=no version=3.4.5 Received: from daru.lan (176-154-164-34.abo.bbox.fr [176.154.164.34]) by perso.pw (OpenSMTPD) with ESMTPSA id c01f1aca (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Sun, 13 Jun 2021 00:14:00 +0200 (CEST) Date: Sun, 13 Jun 2021 00:13:58 +0200 From: Solene Rapenne Message-ID: <20210613001358.3cc67453@daru.lan> In-Reply-To: <73ab1edf-5917-a01f-66b9-816c43899020@web.de> References: <20210612191959.6394494e@perso.pw> <73ab1edf-5917-a01f-66b9-816c43899020@web.de> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On Sat, 12 Jun 2021 21:59:53 +0200 Jonathan Brielmaier : > On 12.06.21 19:19, Solene Rapenne via Guix-patches via wrote: > > Hello, > > > > I wrote a new firewall service, I already wrote an email to guix-devel > > about it and I've been suggested to submit it here. > > > > The idea is to propose an easy way to manage your firewall. On a > > personal computer or a server with no fancy network, you certainly want > > to block access from the outside to all the ports except a few ones. =20 >=20 > Hi Solene, >=20 > that is a really good idea. So I could get rid of my growing lines of > plain iptables in my Guix config :) >=20 > > The configuration looks like this, currently it only supports TCP and > > UDP ports. Maybe NAT could be added later or other feature, I'm opened > > to suggestions. > > > > (service firewall-service-type > > (firewall-configuration > > (udp '(53)) > > (tcp '(22 70 1965)))) =20 >=20 > I think we could improve the syntax as to be honest I'm unsure if the > listed ports are the open or the closed ones. >=20 > Maybe we could call this service simple-firewall-service-type or > something along this. hello, thanks a lot for your feedback. I have no argument for a rename, as long as it's understandable. As it's simple, I like simple-firewall. Do you think this would be easier to understand by adding "open" to the names? (service simple-firewall-service-type (simple-firewall-configuration (open-udp '(53)) (open-tcp '(22 ...)))) I think we must decided if ICMP is allowed by default or not and the syntax to enable/disable it. Maybe this? I would disable it by default. (allow-icmp? #t) If you stop simple-firewall with the current code, it will block every inbound ports, I'm not sure if it's the correct way to proceed, I sup= pose it should flush absolutely everything. To match most simple use case, a simple NAT and port redirection could be done too. ;; do NAT on eth0 and set the according sysctl (nat-on "eth0") ;; redirect incoming connections on ports 22 and 8080 to another box (redirect '((22 "192.168.1.50:22") (8080 "192.168.1.50:80")) =20 > > > > Here is the code, I took bits from iptables as a base and then used the > > Tor service way to generate the configuration file. > > > > diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm > > index 87b3d754a3..d311f95448 100644 > > --- a/gnu/services/networking.scm > > +++ b/gnu/services/networking.scm =20 >=20 > You should add a copyright line for yourself at the top of the file. >=20 I've been told it's not mandatory. I have no issue adding it though. I found a ^L character at many paces in networking.scm, I don't know if its appearance is legit or not. I think it's a garbage character that got copy/pasted over and over. I copied it just in case. > > > > +=0C > > +;;; > > +;;; Firewall > > +;;; > > + From unknown Fri Jun 13 11:48:09 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#48975] New firewall service Resent-From: Arun Isaac Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 13 Jun 2021 09:30:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48975 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Solene Rapenne , 48975@debbugs.gnu.org Cc: Jonathan Brielmaier Received: via spool by 48975-submit@debbugs.gnu.org id=B48975.16235766022611 (code B ref 48975); Sun, 13 Jun 2021 09:30:03 +0000 Received: (at 48975) by debbugs.gnu.org; 13 Jun 2021 09:30:02 +0000 Received: from localhost ([127.0.0.1]:42656 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lsMRO-0000fv-Bn for submit@debbugs.gnu.org; Sun, 13 Jun 2021 05:30:02 -0400 Received: from mugam.systemreboot.net ([139.59.75.54]:46476) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lsMRK-0000fP-Cq for 48975@debbugs.gnu.org; Sun, 13 Jun 2021 05:30:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=79NpCeC8b0E4Brc43fMBPJE9jZXoAHqgA37AnpxAUC4=; b=kLhXzIC7yT1wtH/5Dz2HKpe9YW nAC/5hdfY54hR9kXcF/EdDKeAW4g5R/2YXepgtN6HRy8frW62+eos2EdHYzlbIAe0PK2W52oHef2Z Z1BuFZBKfSd6jqOw2Vqs8uZRov56BnYY7nKIz2fntcgzJmiVy5Q2NAiuo/kmwc51bDofDeV/jrvrX Zni4CuaL/YQ+eN/y27KiVsLdEXroqKglT93r5BdKUAZ4b1lFPxZZ2ujM0EaM+OyBVNRRBSKdVPa5V 6qgVn5DsH6tB0s3Yq7d24V5ackReZBNrHHvNuyYB0kDGCHvirM43jfyaizZKz+wOmz72SAY+x4lk2 G1Wb1Cug==; Received: from [192.168.2.1] (helo=steel) by systemreboot.net with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1lsMRG-0002cB-TJ; Sun, 13 Jun 2021 14:59:54 +0530 From: Arun Isaac In-Reply-To: <20210612191959.6394494e@perso.pw> References: <20210612191959.6394494e@perso.pw> Date: Sun, 13 Jun 2021 14:59:31 +0530 Message-ID: <87czsqqfic.fsf@systemreboot.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain Hi Solene, Thanks for the great work! I wrote the iptables service in the hope of some day extending it to something like this, but you've beaten me to it! :-) Some feedback follows. Your implementation duplicates some of the code in the iptables service. How about making it simply /extend/ the iptables service with the generated rules? This way, you won't have to handle the start/stop iptables-restore gexps. The iptables service, when stopped, already has the correct behaviour of opening all ports. WDYT? Regards, Arun --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFPBAEBCAA5FiEEf3MDQ/Lwnzx3v3nTLiXui2GAK7MFAmDFz/sbHGFydW5pc2Fh Y0BzeXN0ZW1yZWJvb3QubmV0AAoJEC4l7othgCuzoY8IAL/8pXaEaPSHe9Td4oDr PPfa2ffmb6cDTydntl0vUfOz2Og+q3MGk3j2IdQWlGRsUqbOZp5dCaV57kPBr3I+ OKfbWw0Vq1uJ1fYR2WySP/FR4Ib57n+uG4Yr8+jVXZqSIwhcO1rx9E2ouZ1v+Dde L6XaN0BqB+9clySZ4BMKEcOe+NcAjhWPMLMOHuj17bKaQqOy15jrKJwoVclkIKyo Vlh0RvMZK4tnYOqxzBgWp1BMOlLbM2FNCtgwLFO57kZ/cuFqNNkthvxRl+j0E7PE K2cD7gtlTFNl/rBR5GieSmV7mUkpMLhgFHF+LkRKkG98rWDmx8B4rsOX6KU2JxZr /6w= =Jj+K -----END PGP SIGNATURE----- --=-=-=-- From unknown Fri Jun 13 11:48:09 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#48975] [PATCH] gnu: simple-firewall-service: Add a simple service wrapping iptables References: <20210612191959.6394494e@perso.pw> In-Reply-To: <20210612191959.6394494e@perso.pw> Resent-From: antlers Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 04 Nov 2022 07:27:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48975 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 48975@debbugs.gnu.org Cc: antlers Received: via spool by 48975-submit@debbugs.gnu.org id=B48975.16675467871809 (code B ref 48975); Fri, 04 Nov 2022 07:27:02 +0000 Received: (at 48975) by debbugs.gnu.org; 4 Nov 2022 07:26:27 +0000 Received: from localhost ([127.0.0.1]:51498 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oqr5u-0000T7-D4 for submit@debbugs.gnu.org; Fri, 04 Nov 2022 03:26:26 -0400 Received: from mail-pf1-f170.google.com ([209.85.210.170]:34376) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oqr5p-0000Sp-4u for 48975@debbugs.gnu.org; Fri, 04 Nov 2022 03:26:24 -0400 Received: by mail-pf1-f170.google.com with SMTP id z26so3806087pff.1 for <48975@debbugs.gnu.org>; Fri, 04 Nov 2022 00:26:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=I6d6pyk6zolvcsx1GKJPROVwP6nb3W8LjaHpqzfhrn8=; b=AWLy3/5RoVNjSCWUs5HbJObTbAUtMkF419fa2U7pO+waKKpkhPDdB1dAo7mSoMcF3g o84z0GaPf/6sMv2ZKEpBbnwaKxJYNLm0EVRTWgpLjcbuFuR3x4VMBKvWveV6ZHETxex4 oUpLDjqRhHXK35DfiPeimU2d0RQtNidQy5qEFJ0PUF5l6C/e5FBjve4OTfQOjygn6zko LbhxeMbBEQPT10ZZe6h3wlitDMskUl+DVO5OPvCKRj5wdDjp8ik3Q+C4PDGiygFk7U4n Fn7cf/ZIpmbNdZb77//HI5u7tU9dy4KZGW3EVypuT8Rp1xzKGEgprPU7cQtPXsGGiYhQ az2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=I6d6pyk6zolvcsx1GKJPROVwP6nb3W8LjaHpqzfhrn8=; b=v6X8kTJ6sp5dNibbG9R1q69+bth3ipSxFuKGGm5ATSniPD4kLq+RFj8HTbRC2/gKfV khfMwUkFWGWsLigNzPXw0oC1MPqli5jBfBos1zNXDr1UhbIiD2pnt+uZ4x4hHYZ8vMZB +thy1hcNWmyxLwncXS4aZgY+AnUeDbZGZ1rEAHYW0hatfwi0PMrF9rU5Pg+tbC7PQ9oX qq0S1yRsVfPB4vzqbyC4RbPmB7J6eoJ/uPWfSRY3hNLlfVuoS3loL9P2ZiAJQXZ8FBe4 EtLPoLvOUpDPe3D9t8YYmsz5jGJotRpbOeVOPQCP+/3pWSoJ0P+uOOwNEQvztEkTcwRU 7AAA== X-Gm-Message-State: ACrzQf2GOsbIS0zyMPL2wp2ip65BIlDj1dZHk5NCx4YQQ+XtYy1RrW32 DBoK9+FS/WCsbCR3BwjmzJz/8VzOI5s= X-Google-Smtp-Source: AMsMyM5MixrBWFMzfzTgsn5Oow8yDHpgYsHK+pRLDKwK/YREutSNxYbGXsxgkTtdKcYb/fCkhOlO3g== X-Received: by 2002:a63:da4f:0:b0:43f:6af:74ed with SMTP id l15-20020a63da4f000000b0043f06af74edmr30139647pgj.290.1667546774887; Fri, 04 Nov 2022 00:26:14 -0700 (PDT) Received: from localhost.localdomain (static-24-113-160-104.wavecable.com. [24.113.160.104]) by smtp.gmail.com with ESMTPSA id v5-20020a17090a898500b00217090ece49sm758463pjn.31.2022.11.04.00.26.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Nov 2022 00:26:14 -0700 (PDT) From: antlers Date: Fri, 4 Nov 2022 00:25:50 -0700 Message-Id: <20221104072550.32038-1-autumnalantlers@gmail.com> X-Mailer: git-send-email 2.38.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) From: antlers * gnu/services/networking.scm (simple-firewall-service): Add. (iptables-service): Allow a crude sort of service extension. I tried out a keyword-based syntax: ``` (simple-firewall-configuration (allow-forwarding? #t) (allowed-ports '(#:both 51234 #:tcp 80 443 #:udp 4444)) ``` But kept the more verbose tcp and udp fields because I don't want people to have to use quasiquotes to splice in evaluated port-numbers after the keywords. I like the suggestion that there should be a field for redirecting packets, whether to loopback or another box, as it took me a while to learn about eg. masquerading last time I needed to set something like that up. Not sure what command would be equivalent to the NAT suggestion? I guess nftables has superseded iptables, but I'm not as familiar with it? Perhaps I can add it as a second back-end in the future. My primary concern right now is a pure Scheme interface for networking configuration; most notably via service inheritance! Simple-firewall now lets you open ports via extensions in other services; in order for this option to be widely available, perhaps it's the {nf,ip}tables-services that should be extensible? It's a tricky problem atm because we don't really want services that need ports depending on a specific backend, there are existing API's, they use plain-file's over structs or strings, and rule orders need to be really specific/coordinated. Idk, maybe that isn't something we really want in the first place, but it sure feels good from a configuration / organizational point-of-view. Happy to tweak this again if anyone has ideas. --- gnu/services/networking.scm | 79 ++++++++++++++++++++++++++++++++++++- 1 file changed, 77 insertions(+), 2 deletions(-) diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 19aba8c266..0866c10b34 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -18,6 +18,8 @@ ;;; Copyright © 2021 Christine Lemmer-Webber ;;; Copyright © 2021 Maxime Devos ;;; Copyright © 2021 Guillaume Le Vaillant +;;; Copyright © 2021 Solene Rapenne +;;; Copyright © 2022 antlers ;;; ;;; This file is part of GNU Guix. ;;; @@ -225,7 +227,11 @@ (define-module (gnu services networking) keepalived-configuration keepalived-configuration? - keepalived-service-type)) + keepalived-service-type + + simple-firewall-service-type + simple-firewall-configuration + simple-firewall-configuration?)) ;;; Commentary: ;;; @@ -1721,7 +1727,13 @@ (define iptables-service-type "Run @command{iptables-restore}, setting up the specified rules.") (extensions (list (service-extension shepherd-root-service-type - (compose list iptables-shepherd-service)))))) + (compose list iptables-shepherd-service)))) + ;; Some services extend iptables, but such services are mutually exclusive, + ;; and should be either extended directly or superseded entirely depending + ;; the complexity of your desired configuration. + (compose identity) + (extend (lambda (config entries) + (last entries))))) ;;; ;;; nftables @@ -2186,4 +2198,67 @@ (define keepalived-service-type "Run @uref{https://www.keepalived.org/, Keepalived} routing software."))) + +;;; +;;; Simple Firewall +;;; + +(define-record-type* + simple-firewall-configuration make-simple-firewall-configuration + simple-firewall-configuration? + (allow-icmp? simple-firewall-configuration-allow-icmp? + (default #f)) + (allow-forwarding? simple-firewall-configuration-allow-forwarding? + (default #f)) + + (open-tcp-ports simple-firewall-configuration-open-tcp-ports + (default '())) + (open-udp-ports simple-firewall-configuration-open-udp-ports + (default '()))) + +(define simple-firewall-configuration->iptables-rules + (match-lambda + (($ + allow-icmp? allow-forwarding? + open-tcp-ports open-udp-ports) + (string-join + `("*filter" + ":INPUT DROP" + ,(string-append ":FORWARD " (if allow-forwarding? "ACCEPT" "DROP")) + ":OUTPUT ACCEPT" + "-A INPUT -i lo -j ACCEPT" + "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" + ,@(unless allow-icmp? '("-A INPUT -p icmp -j DROP" + "-A INPUT -p icmpv6 -j DROP")) + ,@(map (cut string-append "-A INPUT -p tcp --dport " <> " -j ACCEPT") (map number->string open-tcp-ports)) + ,@(map (cut string-append "-A INPUT -p udp --dport " <> " -j ACCEPT") (map number->string open-udp-ports)) + "-A INPUT -j REJECT --reject-with icmp-port-unreachable" + "COMMIT") + "\n" 'suffix)))) + +(define (simple-firewall-configuration->iptables-configuration config) + (let ((rules (simple-firewall-configuration->iptables-rules config))) + (iptables-configuration + (ipv4-rules (plain-file "iptables.rules" rules)) + (ipv6-rules (plain-file "ip6tables.rules" rules))))) + +(define simple-firewall-service-type + (service-type + (name 'simple-firewall) + (description + "Run @command{iptables-restore}, setting up the specified rules.") + (extensions + (list (service-extension iptables-service-type + simple-firewall-configuration->iptables-configuration))) + (compose concatenate) + (extend (lambda (config entries) + (simple-firewall-configuration + (inherit config) + (open-tcp-ports + (concatenate (map simple-firewall-configuration-open-tcp-ports + (cons config entries)))) + (open-udp-ports + (concatenate (map simple-firewall-configuration-open-udp-ports + (cons config entries))))))))) + ;;; networking.scm ends here -- 2.38.0 From unknown Fri Jun 13 11:48:09 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#48975] [PATCH] gnu: simple-firewall-service: Add a simple service wrapping iptables Resent-From: antlers Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 06 Nov 2022 20:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48975 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 48975@debbugs.gnu.org Received: via spool by 48975-submit@debbugs.gnu.org id=B48975.16677671873915 (code B ref 48975); Sun, 06 Nov 2022 20:40:02 +0000 Received: (at 48975) by debbugs.gnu.org; 6 Nov 2022 20:39:47 +0000 Received: from localhost ([127.0.0.1]:60748 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ormQk-000114-HL for submit@debbugs.gnu.org; Sun, 06 Nov 2022 15:39:47 -0500 Received: from mail-vk1-f175.google.com ([209.85.221.175]:45946) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ormQh-00010k-JA for 48975@debbugs.gnu.org; Sun, 06 Nov 2022 15:39:44 -0500 Received: by mail-vk1-f175.google.com with SMTP id g26so5436461vkm.12 for <48975@debbugs.gnu.org>; Sun, 06 Nov 2022 12:39:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=GkGz1fggiK6zTBgYnFrjD6uaHW5ow/YIGhrmdp5UVcY=; b=d8CSD3YDGnS1XY+1EeBcKXfjxDiMldqfsgWktcGxCfsXS/o5bkSrCVoO03r45NDZfz x1dP6uIb+mkF/hNtsI8DIqmQB5f9zkRHOc3P2kNLsJ47vlOMYHBzFrZAG0wCk5S48cX8 J2JCCv86d5Rf+ShF/icXe8iUWrsWDtfS4njBDATEMVF84LTnhXK5Mm2SiOWdmbZYoPwF 0hpUIiWeTBj5OqVc1OwJTzl7cZ+TDc0iUwyI1GkD5azZfmXgoGnNNn+ns/8sfqCIK83t WDTDTvVh+8gIHk3SkpQnVRGjDMWbByOMTXYKcb2ikMP2VlQZUMY6v9slcyHTBIGA+yj/ 7eMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=GkGz1fggiK6zTBgYnFrjD6uaHW5ow/YIGhrmdp5UVcY=; b=VGHe0mfFx5bffXiNrbD+6U18xLcqY2PMlKQnp6AECdLGve1zz5c6L5xK//2WQIKijz g2RhuAdosFcUaIARUDQA+AtOLcDQQKpT7/y6YsQF/vOHC8iyLoX4iskSEWzX4kbQmVNo TldVSvJNzmMJHhK97JxJ0onincvzkoiiu8/u40J+eH96Z8OvSScnG641wt2qyuRa+j3J 8ZQ0cRw+xJYt51lRjvdqJyC3wF752cSFmXEY2bjm210ahayLr2BcDezUaQAck3+KrBU/ 9G6sXZj2SwV+m9yPnJvzreXbYCTEs32lgPvyZvxsZTCAdt4YcZA5HxXNJBhhnDLI1x3c g9vQ== X-Gm-Message-State: ACrzQf1SkZOl1A6Y2poTEN+dwhnJPgjp1rCGNM0rRgp6+JVz7biTvgWn tAZ4MsiMXa1Ua3lcrMPUFRkhyaVIg6KdFU8Qcw00NJEB X-Google-Smtp-Source: AMsMyM7yREAZjJ7A34CYh/B8fOvYrBQRghcbjjrOxgVpbYhxqTPf0J/hMR9TK3L4awGFzVN7jUs4f2s47kniWaSMljE= X-Received: by 2002:a1f:3445:0:b0:3ab:c197:8f4f with SMTP id b66-20020a1f3445000000b003abc1978f4fmr23723746vka.13.1667767177520; Sun, 06 Nov 2022 12:39:37 -0800 (PST) MIME-Version: 1.0 References: <20221104072550.32038-1-autumnalantlers@gmail.com> In-Reply-To: <20221104072550.32038-1-autumnalantlers@gmail.com> From: antlers Date: Sun, 6 Nov 2022 12:39:26 -0800 Message-ID: Content-Type: multipart/alternative; boundary="0000000000002f2ad605ecd34e8e" X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --0000000000002f2ad605ecd34e8e Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable After googling around a bit it looks like the `filter*` and `COMMIT` commands in iptables configurations do in fact form a transactional block that would allow us to accept additional plain-files via extensions and just concatenate them, it's that's a road we want to go down On Fri, Nov 4, 2022 at 12:26 AM antlers wrote: > From: antlers > > * gnu/services/networking.scm (simple-firewall-service): Add. > (iptables-service): Allow a crude sort of service extension. > > I tried out a keyword-based syntax: > ``` > (simple-firewall-configuration > (allow-forwarding? #t) > (allowed-ports '(#:both 51234 > #:tcp 80 443 > #:udp 4444)) > ``` > But kept the more verbose tcp and udp fields because I don't want > people to have to use quasiquotes to splice in evaluated port-numbers > after the keywords. > > I like the suggestion that there should be a field for redirecting > packets, whether to loopback or another box, as it took me a while to > learn about eg. masquerading last time I needed to set something like > that up. Not sure what command would be equivalent to the NAT > suggestion? > > I guess nftables has superseded iptables, but I'm not as familiar with > it? Perhaps I can add it as a second back-end in the future. My > primary concern right now is a pure Scheme interface for networking > configuration; most notably via service inheritance! Simple-firewall > now lets you open ports via extensions in other services; in order for > this option to be widely available, perhaps it's the > {nf,ip}tables-services that should be extensible? It's a tricky > problem atm because we don't really want services that need ports > depending on a specific backend, there are existing API's, they use > plain-file's over structs or strings, and rule orders need to be > really specific/coordinated. Idk, maybe that isn't something we really > want in the first place, but it sure feels good from a configuration / > organizational point-of-view. Happy to tweak this again if anyone has > ideas. > --- > gnu/services/networking.scm | 79 ++++++++++++++++++++++++++++++++++++- > 1 file changed, 77 insertions(+), 2 deletions(-) > > diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm > index 19aba8c266..0866c10b34 100644 > --- a/gnu/services/networking.scm > +++ b/gnu/services/networking.scm > @@ -18,6 +18,8 @@ > ;;; Copyright =C2=A9 2021 Christine Lemmer-Webber > ;;; Copyright =C2=A9 2021 Maxime Devos > ;;; Copyright =C2=A9 2021 Guillaume Le Vaillant > +;;; Copyright =C2=A9 2021 Solene Rapenne > +;;; Copyright =C2=A9 2022 antlers > ;;; > ;;; This file is part of GNU Guix. > ;;; > @@ -225,7 +227,11 @@ (define-module (gnu services networking) > > keepalived-configuration > keepalived-configuration? > - keepalived-service-type)) > + keepalived-service-type > + > + simple-firewall-service-type > + simple-firewall-configuration > + simple-firewall-configuration?)) > > ;;; Commentary: > ;;; > @@ -1721,7 +1727,13 @@ (define iptables-service-type > "Run @command{iptables-restore}, setting up the specified rules.") > (extensions > (list (service-extension shepherd-root-service-type > - (compose list iptables-shepherd-service))))= )) > + (compose list iptables-shepherd-service)))) > + ;; Some services extend iptables, but such services are mutually > exclusive, > + ;; and should be either extended directly or superseded entirely > depending > + ;; the complexity of your desired configuration. > + (compose identity) > + (extend (lambda (config entries) > + (last entries))))) > > ;;; > ;;; nftables > @@ -2186,4 +2198,67 @@ (define keepalived-service-type > "Run @uref{https://www.keepalived.org/, Keepalived} > routing software."))) > > + > +;;; > +;;; Simple Firewall > +;;; > + > +(define-record-type* > + simple-firewall-configuration make-simple-firewall-configuration > + simple-firewall-configuration? > + (allow-icmp? simple-firewall-configuration-allow-icmp? > + (default #f)) > + (allow-forwarding? simple-firewall-configuration-allow-forwarding? > + (default #f)) > + > + (open-tcp-ports simple-firewall-configuration-open-tcp-ports > + (default '())) > + (open-udp-ports simple-firewall-configuration-open-udp-ports > + (default '()))) > + > +(define simple-firewall-configuration->iptables-rules > + (match-lambda > + (($ > + allow-icmp? allow-forwarding? > + open-tcp-ports open-udp-ports) > + (string-join > + `("*filter" > + ":INPUT DROP" > + ,(string-append ":FORWARD " (if allow-forwarding? "ACCEPT" > "DROP")) > + ":OUTPUT ACCEPT" > + "-A INPUT -i lo -j ACCEPT" > + "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" > + ,@(unless allow-icmp? '("-A INPUT -p icmp -j DROP" > + "-A INPUT -p icmpv6 -j DROP")) > + ,@(map (cut string-append "-A INPUT -p tcp --dport " <> " -j > ACCEPT") (map number->string open-tcp-ports)) > + ,@(map (cut string-append "-A INPUT -p udp --dport " <> " -j > ACCEPT") (map number->string open-udp-ports)) > + "-A INPUT -j REJECT --reject-with icmp-port-unreachable" > + "COMMIT") > + "\n" 'suffix)))) > + > +(define (simple-firewall-configuration->iptables-configuration config) > + (let ((rules (simple-firewall-configuration->iptables-rules config))) > + (iptables-configuration > + (ipv4-rules (plain-file "iptables.rules" rules)) > + (ipv6-rules (plain-file "ip6tables.rules" rules))))) > + > +(define simple-firewall-service-type > + (service-type > + (name 'simple-firewall) > + (description > + "Run @command{iptables-restore}, setting up the specified rules.") > + (extensions > + (list (service-extension iptables-service-type > + > simple-firewall-configuration->iptables-configuration))) > + (compose concatenate) > + (extend (lambda (config entries) > + (simple-firewall-configuration > + (inherit config) > + (open-tcp-ports > + (concatenate (map > simple-firewall-configuration-open-tcp-ports > + (cons config entries)))) > + (open-udp-ports > + (concatenate (map > simple-firewall-configuration-open-udp-ports > + (cons config entries))))))))) > + > ;;; networking.scm ends here > -- > 2.38.0 > > --0000000000002f2ad605ecd34e8e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
After googling around a bit it looks like the `filter*` an= d `COMMIT` commands in iptables configurations do in fact form a transactio= nal block that would allow us to accept additional plain-files via extensio= ns and just concatenate them, it's that's a road we want to go down=

On Fri, Nov 4, 2022 at 12:26 AM antlers <autumnalantlers@gmail.com> wrote:
From: antlers <antlers@luris.net>

=C2=A0* gnu/services/networking.scm (simple-firewall-service): Add.
=C2=A0 =C2=A0(iptables-service): Allow a crude sort of service extension.
I tried out a keyword-based syntax:
```
(simple-firewall-configuration
=C2=A0 (allow-forwarding? #t)
=C2=A0 (allowed-ports '(#:both 51234
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0#:tcp= =C2=A0 80 443
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0#:udp= =C2=A0 4444))
```
But kept the more verbose tcp and udp fields because I don't want
people to have to use quasiquotes to splice in evaluated port-numbers
after the keywords.

I like the suggestion that there should be a field for redirecting
packets, whether to loopback or another box, as it took me a while to
learn about eg. masquerading last time I needed to set something like
that up. Not sure what command would be equivalent to the NAT
suggestion?

I guess nftables has superseded iptables, but I'm not as familiar with<= br> it? Perhaps I can add it as a second back-end in the future. My
primary concern right now is a pure Scheme interface for networking
configuration; most notably via service inheritance! Simple-firewall
now lets you open ports via extensions in other services; in order for
this option to be widely available, perhaps it's the
{nf,ip}tables-services that should be extensible? It's a tricky
problem atm because we don't really want services that need ports
depending on a specific backend, there are existing API's, they use
plain-file's over structs or strings, and rule orders need to be
really specific/coordinated. Idk, maybe that isn't something we really<= br> want in the first place, but it sure feels good from a configuration /
organizational point-of-view. Happy to tweak this again if anyone has
ideas.
---
=C2=A0gnu/services/networking.scm | 79 ++++++++++++++++++++++++++++++++++++= -
=C2=A01 file changed, 77 insertions(+), 2 deletions(-)

diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 19aba8c266..0866c10b34 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -18,6 +18,8 @@
=C2=A0;;; Copyright =C2=A9 2021 Christine Lemmer-Webber <cwebber@dustycloud.org>=
=C2=A0;;; Copyright =C2=A9 2021 Maxime Devos <maximedevos@telenet.be>
=C2=A0;;; Copyright =C2=A9 2021 Guillaume Le Vaillant <glv@posteo.net>
+;;; Copyright =C2=A9 2021 Solene Rapenne
+;;; Copyright =C2=A9 2022 antlers <autumnalantlers@gmail.com>
=C2=A0;;;
=C2=A0;;; This file is part of GNU Guix.
=C2=A0;;;
@@ -225,7 +227,11 @@ (define-module (gnu services networking)

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0keepalived-configuration =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0keepalived-configuration? -=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 keepalived-service-type))
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 keepalived-service-type
+
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 simple-firewall-service-type
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 simple-firewall-configuration +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 simple-firewall-configuration?))=

=C2=A0;;; Commentary:
=C2=A0;;;
@@ -1721,7 +1727,13 @@ (define iptables-service-type
=C2=A0 =C2=A0 =C2=A0"Run @command{iptables-restore}, setting up the sp= ecified rules.")
=C2=A0 =C2=A0 (extensions
=C2=A0 =C2=A0 =C2=A0(list (service-extension shepherd-root-service-type
-=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(compose list iptables-shepherd-service)))))= )
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(compose list iptables-shepherd-service))))<= br> +=C2=A0 =C2=A0;; Some services extend iptables, but such services are mutua= lly exclusive,
+=C2=A0 =C2=A0;; and should be either extended directly or superseded entir= ely depending
+=C2=A0 =C2=A0;; the complexity of your desired configuration.
+=C2=A0 =C2=A0(compose identity)
+=C2=A0 =C2=A0(extend (lambda (config entries)
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(last entries)))))

=C2=A0;;;
=C2=A0;;; nftables
@@ -2186,4 +2198,67 @@ (define keepalived-service-type
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "Run @u= ref{https://www.keepalived.org/, Keepalived}
=C2=A0routing software.")))

+=0C
+;;;
+;;; Simple Firewall
+;;;
+
+(define-record-type* <simple-firewall-configuration>
+=C2=A0 simple-firewall-configuration make-simple-firewall-configuration +=C2=A0 simple-firewall-configuration?
+=C2=A0 (allow-icmp? simple-firewall-configuration-allow-icmp?
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(default #f))
+=C2=A0 (allow-forwarding? simple-firewall-configuration-allow-forwarding?<= br> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0(default #f))
+
+=C2=A0 (open-tcp-ports simple-firewall-configuration-open-tcp-ports
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(default = 9;()))
+=C2=A0 (open-udp-ports simple-firewall-configuration-open-udp-ports
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(default = 9;())))
+
+(define simple-firewall-configuration->iptables-rules
+=C2=A0 (match-lambda
+=C2=A0 =C2=A0 (($ <simple-firewall-configuration>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 allow-icmp? allow-forwarding?
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 open-tcp-ports open-udp-ports)
+=C2=A0 =C2=A0 =C2=A0(string-join
+=C2=A0 =C2=A0 =C2=A0 =C2=A0`("*filter"
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0":INPUT DROP"
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0,(string-append ":FORWARD " (i= f allow-forwarding? "ACCEPT" "DROP"))
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0":OUTPUT ACCEPT"
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"-A INPUT -i lo -j ACCEPT"
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"-A INPUT -m conntrack --ctstate ES= TABLISHED,RELATED -j ACCEPT"
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0,@(unless allow-icmp? '("-A INP= UT -p icmp=C2=A0 =C2=A0-j DROP"
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"-A INPUT -p icmpv6 -j DR= OP"))
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0,@(map (cut string-append "-A INPUT= -p tcp --dport " <>=C2=A0 " -j ACCEPT") (map number-&= gt;string open-tcp-ports))
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0,@(map (cut string-append "-A INPUT= -p udp --dport " <>=C2=A0 " -j ACCEPT") (map number-&= gt;string open-udp-ports))
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"-A INPUT -j REJECT --reject-with i= cmp-port-unreachable"
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"COMMIT")
+=C2=A0 =C2=A0 =C2=A0 =C2=A0"\n" 'suffix))))
+
+(define (simple-firewall-configuration->iptables-configuration config)<= br> +=C2=A0 (let ((rules (simple-firewall-configuration->iptables-rules conf= ig)))
+=C2=A0 =C2=A0 (iptables-configuration
+=C2=A0 =C2=A0 =C2=A0 (ipv4-rules (plain-file "iptables.rules" ru= les))
+=C2=A0 =C2=A0 =C2=A0 (ipv6-rules (plain-file "ip6tables.rules" r= ules)))))
+
+(define simple-firewall-service-type
+=C2=A0 (service-type
+=C2=A0 =C2=A0(name 'simple-firewall)
+=C2=A0 =C2=A0(description
+=C2=A0 =C2=A0 "Run @command{iptables-restore}, setting up the specifi= ed rules.")
+=C2=A0 =C2=A0(extensions
+=C2=A0 =C2=A0 =C2=A0(list (service-extension iptables-service-type
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 simple-firewall-configuration->iptables-= configuration)))
+=C2=A0 =C2=A0(compose concatenate)
+=C2=A0 =C2=A0(extend (lambda (config entries)
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(simple-firewall-configura= tion
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (inherit config)
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (open-tcp-ports
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (concatenate (map = simple-firewall-configuration-open-tcp-ports
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (cons config entries))))
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (open-udp-ports
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (concatenate (map = simple-firewall-configuration-open-udp-ports
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (cons config entries)))))))))=
+
=C2=A0;;; networking.scm ends here
--
2.38.0

--0000000000002f2ad605ecd34e8e--