GNU bug report logs - #48975
New firewall service

Previous Next

Package: guix-patches;

Reported by: Solene Rapenne <solene <at> perso.pw>

Date: Sat, 12 Jun 2021 17:21:02 UTC

Severity: normal

Full log

View this message in rfc822 format

From: Jonathan Brielmaier <jonathan.brielmaier <at> web.de>
To: Solene Rapenne <solene <at> perso.pw>, 48975 <at> debbugs.gnu.org
Subject: [bug#48975] New firewall service
Date: Sat, 12 Jun 2021 21:59:53 +0200

On 12.06.21 19:19, Solene Rapenne via Guix-patches via wrote:
> Hello,
>
> I wrote a new firewall service, I already wrote an email to guix-devel
> about it and I've been suggested to submit it here.
>
> The idea is to propose an easy way to manage your firewall. On a
> personal computer or a server with no fancy network, you certainly want
> to block access from the outside to all the ports except a few ones.

Hi Solene,

that is a really good idea. So I could get rid of my growing lines of
plain iptables in my Guix config :)

> The configuration looks like this, currently it only supports TCP and
> UDP ports. Maybe NAT could be added later or other feature, I'm opened
> to suggestions.
>
> (service firewall-service-type
>    (firewall-configuration
>      (udp '(53))
>      (tcp '(22 70 1965))))

I think we could improve the syntax as to be honest I'm unsure if the
listed ports are the open or the closed ones.

Maybe we could call this service simple-firewall-service-type or
something along this.

>
> Here is the code, I took bits from iptables as a base and then used the
> Tor service way to generate the configuration file.
>
> diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
> index 87b3d754a3..d311f95448 100644
> --- a/gnu/services/networking.scm
> +++ b/gnu/services/networking.scm

You should add a copyright line for yourself at the top of the file.

> @@ -221,7 +221,11 @@
>
>               keepalived-configuration
>               keepalived-configuration?
> -            keepalived-service-type))
> +            keepalived-service-type
> +
> +            firewall-service-type
> +            firewall-configuration
> +            firewall-configuration?))
>
>   ;;; Commentary:
>   ;;;
> @@ -2190,4 +2194,76 @@ of the IPFS peer-to-peer storage network.")))
>                    "Run @uref{https://www.keepalived.org/, Keepalived}
>   routing software.")))
>
> +
> +;;;
> +;;; Firewall
> +;;;
> +
> +(define-record-type* <firewall-configuration>
> +  firewall-configuration make-firewall-configuration
> +  firewall-configuration?
> +  (tcp firewall-configuration-tcp
> +       (default '()))
> +  (udp firewall-configuration-udp
> +       (default '())))
> +
> +(define (firewall-configuration->file tcp udp)
> +  "Return the iptables rules from the ports list"
> +  (computed-file
> +   "firewall-generated-rules"
> +   (with-imported-modules '((guix build utils))
> +     #~(begin
> +         (use-modules (guix build utils)
> +                      (ice-9 match))
> +         (call-with-output-file #$output
> +           (lambda (out)
> +             (display "\
> +*filter
> +:INPUT DROP
> +:FORWARD DROP
> +:OUTPUT ACCEPT
> +-A INPUT -i lo -j ACCEPT
> +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n" out)
> +
> +             ;; tcp rules
> +             (when (not (null? (list #$@tcp)))
> +               (format out "\
> +~{-A INPUT -p tcp --dport ~a -j ACCEPT~%~}"
> +                       (list #$@tcp)))
> +
> +             ;; udp rules
> +             (when (not (null? (list #$@udp)))
> +               (format out "\
> +~{-A INPUT -p udp --dport ~a -j ACCEPT~%~}"
> +                       (list #$@udp)))
> +
> +             (display "COMMIT\n" out)
> +             #t))))))

I'm not an iptables expert but does this config block/open IPv4 as well
as IPv6?

> +(define firewall-shepherd-service
> +  (match-lambda
> +    (($ <firewall-configuration> tcp udp)
> +     (let* ((iptables-restore (file-append iptables "/sbin/iptables-restore"))
> +            (ip6tables-restore (file-append iptables "/sbin/ip6tables-restore"))
> +            (ruleset (firewall-configuration->file tcp udp)))
> +       (shepherd-service
> +        (documentation "Easy firewall management")
> +        (provision '(firewall))
> +        (start #~(lambda _
> +                   (invoke #$iptables-restore  #$ruleset)
> +                   (invoke #$ip6tables-restore #$ruleset)))
> +        (stop #~(lambda _
> +                  (invoke #$iptables-restore #$ruleset)
> +                  (invoke #$ip6tables-restore #$ruleset))))))))
> +
> +(define firewall-service-type
> +  (service-type
> +   (name 'firewall)
> +   (description
> +    "Run @command{iptables-restore}, setting up the specified rules.")
> +   (extensions
> +    (list (service-extension shepherd-root-service-type
> +                             (compose list firewall-shepherd-service))))))
> +
> +
>   ;;; networking.scm ends here
>
>
>
This bug report was last modified 2 years and 220 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.