nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-22 15:03:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

firewall: disable conntrack helper autoloading by default

Browse Source 
This was disabled in the Linux kernel since 4.7 and poses a security risk
if not configured properly.

https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=486dcf43da7815baa615822f3e46883ccca5400f
This commit is contained in:
Franz Pletz 2017-01-22 17:29:38 +01:00
parent 403fdd737e
commit 8322a12ef2
No known key found for this signature in database
GPG Key ID: 846FDED7792617B4
2 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
nixos/modules/services/networking/firewall.nix
View File

@ -425,7 +425,7 @@ in
networking.firewall.connectionTrackingModules = mkOption {
type = types.listOf types.str;
default = [ "ftp" ];
default = [ ];
example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ];
description =
''
@ -434,9 +434,11 @@ in
As helpers can pose as a security risk, it is advised to
set this to an empty list and disable the setting
networking.firewall.autoLoadConntrackHelpers
networking.firewall.autoLoadConntrackHelpers unless you
know what you are doing. Connection tracking is disabled
by default.
Loading of helpers is recommended to be done through the new
Loading of helpers is recommended to be done through the
CT target. More info:
https://home.regit.org/netfilter-en/secure-use-of-helpers/
'';
@ -444,7 +446,7 @@ in
networking.firewall.autoLoadConntrackHelpers = mkOption {
type = types.bool;
default = true;
default = false;
description =
''
Whether to auto-load connection-tracking helpers.
@ -504,9 +506,10 @@ in
environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages;
boot.kernelModules = map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;
boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) ''
options nf_conntrack nf_conntrack_helper=0
boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack")
++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;
boot.extraModprobeConfig = optionalString cfg.autoLoadConntrackHelpers ''
options nf_conntrack nf_conntrack_helper=1
'';
assertions = [ { assertion = (cfg.checkReversePath != false) || kernelHasRPFilter;

3
nixos/tests/nat.nix
View File

@ -65,9 +65,6 @@ import ./make-test.nix ({ pkgs, withFirewall, ... }:
$server->succeed("echo Hello World > /home/ftp/foo.txt");
$client->succeed("curl -v ftp://server/foo.txt >&2");
# Test whether active FTP works.
$client->succeed("curl -v -P - ftp://server/foo.txt >&2");
# Test ICMP.
$client->succeed("ping -c 1 router >&2");
$router->succeed("ping -c 1 client >&2");