From 8322a12ef2ce6ea5a239b2221aa6f9a2fe84d904 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sun, 22 Jan 2017 17:29:38 +0100 Subject: [PATCH] firewall: disable conntrack helper autoloading by default This was disabled in the Linux kernel since 4.7 and poses a security risk if not configured properly. https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=486dcf43da7815baa615822f3e46883ccca5400f --- nixos/modules/services/networking/firewall.nix | 17 ++++++++++------- nixos/tests/nat.nix | 3 --- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 0b0ee57cf7ad..34b731ad35c9 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -425,7 +425,7 @@ in networking.firewall.connectionTrackingModules = mkOption { type = types.listOf types.str; - default = [ "ftp" ]; + default = [ ]; example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]; description = '' @@ -434,9 +434,11 @@ in As helpers can pose as a security risk, it is advised to set this to an empty list and disable the setting - networking.firewall.autoLoadConntrackHelpers + networking.firewall.autoLoadConntrackHelpers unless you + know what you are doing. Connection tracking is disabled + by default. - Loading of helpers is recommended to be done through the new + Loading of helpers is recommended to be done through the CT target. More info: https://home.regit.org/netfilter-en/secure-use-of-helpers/ ''; @@ -444,7 +446,7 @@ in networking.firewall.autoLoadConntrackHelpers = mkOption { type = types.bool; - default = true; + default = false; description = '' Whether to auto-load connection-tracking helpers. @@ -504,9 +506,10 @@ in environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages; - boot.kernelModules = map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; - boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) '' - options nf_conntrack nf_conntrack_helper=0 + boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack") + ++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; + boot.extraModprobeConfig = optionalString cfg.autoLoadConntrackHelpers '' + options nf_conntrack nf_conntrack_helper=1 ''; assertions = [ { assertion = (cfg.checkReversePath != false) || kernelHasRPFilter; diff --git a/nixos/tests/nat.nix b/nixos/tests/nat.nix index 4fbf64462682..b16260be38c4 100644 --- a/nixos/tests/nat.nix +++ b/nixos/tests/nat.nix @@ -65,9 +65,6 @@ import ./make-test.nix ({ pkgs, withFirewall, ... }: $server->succeed("echo Hello World > /home/ftp/foo.txt"); $client->succeed("curl -v ftp://server/foo.txt >&2"); - # Test whether active FTP works. - $client->succeed("curl -v -P - ftp://server/foo.txt >&2"); - # Test ICMP. $client->succeed("ping -c 1 router >&2"); $router->succeed("ping -c 1 client >&2");