Firewall¶
On NixOS, our general firewall rules apply with a slight deviation: access is limited by default and can be enabled on a per-case basis.
You are free to open any port you like on the frontend network (ethfe
) which
will be accessible to the outside world. The server-to-server network is only
accessible in a limited way from the outside and freely to the machines
in the same project.
Adding custom configuration¶
To add firewall rules, you can place configuration files in
/etc/local/firewall/*
. Upon the next config activation all files placed
there will be concatenated and placed in a late stage of the firewall
configuration.
The files are shell scripts and are intended to be very simple. We check that all lines are either:
comments (starting with #)
invocations of an iptables command (iptables, ip6tables, ip46tables)
After making changes to the firewall configuration, either wait for the
agent to apply it or run sudo fc-manage -b
.
Note
Use IP addresses in firewall rules. Using host names is not reliable and unsupported.
Firewall chains¶
Use only the firewall chains mentioned below for custom rules. The built-in
chains like INPUT
are reserved for system use.
Matching rules¶
- nixos-fw
Standard firewall chain for subnet and port blocks.
- nixos-nat-pre
Chain for pre-routing actions like port redirects.
- nixos-nat-post
Chain for post-routing actions like masquerading.
Jump targets¶
- nixos-fw-accept
Accept traffic destined to local host.
- nixos-fw-refuse
Deny traffic by replying with a ICMP unreachable message.
- nixos-fw-log-refuse
Deny traffic by replying with a ICMP unreachable message and log denied packets to the journal. Log rate limits apply.
- nixos-drop
Throw away traffic without notifying the sender. Not recommended since this is hard to debug.
Examples¶
Accept TCP traffic on ethfe to port 32542:
ip46tables -I nixos-fw 1 -p tcp -i ethfe --dport 32542 -j nixos-fw-accept
Refuse UDP traffic on ethsrv to port 2222:
ip46tables -I nixos-fw 1 -p udp -i ethsrv --dport 2222 -j nixos-fw-refuse
Refuse traffic from specific subnet (with logging):
ip6tables -I nixos-fw 1 -s 2001:db8:33::/48 -j nixos-fw-log-refuse
Masquerade outgoing traffic on ethsrv:
iptables -t nat -A nixos-nat-post -o ethsrv -j MASQUERADE
Divert incoming traffic on ethfe port 22 to a different port:
ip46tables -t nat -A nixos-nat-pre -i ethfe -p tcp --dport 22 -j REDIRECT --to-ports 2222
How to verify¶
Service users may list currently active firewall rules with sudo iptables -L, e.g.:
iptables -L -nv # show IPv4 firewall rules w/o DNS resolution
ip6tables -L -nv # show IPv6 firewall rules w/o DNS resolution
If the intended rules do not show up, check the system journal for possible
syntax errors in /etc/local/firewall
and re-run fc-manage -b.
Fail2ban¶
We use fail2ban to protect against brute-force attacks and DoS vectors via unauthenticated connections.
Currently we only have the SSH jail enabled in the ddos
mode. If you have 5 authentication failures
or trigger the DDoS rules within 10 minutes, your IP will be blocked for 10 minutes.