Firewall

On NixOS, our general firewall rules apply with a slight deviation: access is limited by default and can be enabled on a per-case basis.

You are free to open any port you like on the frontend network (ethfe) which will be accessible to the outside world. The server-to-server network is only accessible in a limited way from the outside and freely to the machines in the same project.

Adding custom configuration

To add firewall rules, you can place configuration files in /etc/local/firewall/*. Upon the next config activation all files placed there will be concatenated and placed in a late stage of the firewall configuration.

The files are shell scripts and are intended to be very simple. We check that all lines are either:

  • comments (starting with #)

  • invocations of an iptables command (iptables, ip6tables, ip46tables)

After making changes to the firewall configuration, either wait for the agent to apply it or run sudo fc-manage -b.

Note

Use IP addresses in firewall rules. Using host names is not reliable and unsupported.

Firewall chains

Use only the firewall chains mentioned below for custom rules. The built-in chains like INPUT are reserved for system use.

Matching rules

nixos-fw

Standard firewall chain for subnet and port blocks.

nixos-nat-pre

Chain for pre-routing actions like port redirects.

nixos-nat-post

Chain for post-routing actions like masquerading.

Jump targets

nixos-fw-accept

Accept traffic destined to local host.

nixos-fw-refuse

Deny traffic by replying with a ICMP unreachable message.

nixos-fw-log-refuse

Deny traffic by replying with a ICMP unreachable message and log denied packets to the journal. Log rate limits apply.

nixos-drop

Throw away traffic without notifying the sender. Not recommended since this is hard to debug.

Examples

Accept TCP traffic on ethfe to port 32542:

ip46tables -I nixos-fw 1 -p tcp -i ethfe --dport 32542 -j nixos-fw-accept

Refuse UDP traffic on ethsrv to port 2222:

ip46tables -I nixos-fw 1 -p udp -i ethsrv --dport 2222 -j nixos-fw-refuse

Refuse traffic from specific subnet (with logging):

ip6tables -I nixos-fw 1 -s 2001:db8:33::/48 -j nixos-fw-log-refuse

Masquerade outgoing traffic on ethsrv:

iptables -t nat -A nixos-nat-post -o ethsrv -j MASQUERADE

Divert incoming traffic on ethfe port 22 to a different port:

ip46tables -t nat -A nixos-nat-pre -i ethfe -p tcp --dport 22 -j REDIRECT --to-ports 2222

How to verify

Service users may list currently active firewall rules with sudo iptables -L, e.g.:

iptables -L -nv    # show IPv4 firewall rules w/o DNS resolution
ip6tables -L -nv   # show IPv6 firewall rules w/o DNS resolution

If the intended rules do not show up, check the system journal for possible syntax errors in /etc/local/firewall and re-run fc-manage -b.

Fail2ban

We use fail2ban to protect against brute-force attacks and DoS vectors via unauthenticated connections.

Currently we only have the SSH jail enabled in the ddos mode. If you have 5 authentication failures or trigger the DDoS rules within 10 minutes, your IP will be blocked for 10 minutes.