Global knob to always set openFirewall false?

Solene · December 4, 2022, 12:21pm

Hi, I was wondering if a global setting existed to always set openFirewall options to false?

This would be very useful to me at least, I’m sometimes using a VPN with static public IPv4 on it, and it happened I exposed services on it because a service received an openFirewall attribute defaulting to true, or that I overlooked the setting entirely.

Do you think it would be worth adding to the options in the firewall service?

natto1784 · December 4, 2022, 12:28pm

I don’t think so, you might want to change the default in the module though. I don’t think it is a good idea for it to default to true.

aanderse · December 4, 2022, 12:32pm

We have an unwritten policy that openFirewall must always default to false *except" for the the openssh service. Any deviation from this is a bug and should either be reported or fixed.

Solene · December 4, 2022, 12:47pm

this sounds more reasonable to me

Solene · December 4, 2022, 12:52pm

github.com/NixOS/nixpkgs

Switch default openFirewall to false for NixOS services

NixOS:master ← rapenne-s:openFirewall_off

opened 12:52PM - 04 Dec 22 UTC

rapenne-s

+4 -6

###### Description of changes openFirewall should be set to false all the tim…e, except for openssh, this avoids surprises to users who may not want to expose an enabled service without explicit consent. ###### Things done - Built on platform(s) - [ ] x86_64-linux - [ ] aarch64-linux - [ ] x86_64-darwin - [ ] aarch64-darwin - [ ] For non-Linux: Is `sandbox = true` set in `nix.conf`? (See [Nix manual](https://nixos.org/manual/nix/stable/command-ref/conf-file.html)) - [ ] Tested, as applicable: - [NixOS test(s)](https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests) (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests)) - and/or [package tests](https://nixos.org/manual/nixpkgs/unstable/#sec-package-tests) - or, for functions and "core" functionality, tests in [lib/tests](https://github.com/NixOS/nixpkgs/blob/master/lib/tests) or [pkgs/test](https://github.com/NixOS/nixpkgs/blob/master/pkgs/test) - made sure NixOS tests are [linked](https://nixos.org/manual/nixpkgs/unstable/#ssec-nixos-tests-linking) to the relevant packages - [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage) - [ ] Tested basic functionality of all binary files (usually in `./result/bin/`) - [23.05 Release Notes (or backporting 22.11 Release notes)](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#generating-2305-release-notes) - [ ] (Package updates) Added a release notes entry if the change is major or breaking - [ ] (Module updates) Added a release notes entry if the change is significant - [ ] (Module addition) Added a release notes entry if adding a new NixOS module - [ ] (Release notes changes) Ran `nixos/doc/manual/md-to-db.sh` to update generated release notes - [X] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md).

Solene · December 5, 2022, 10:02am

new PR at make openFirewall options to false for NixOS services by rapenne-s · Pull Request #204618 · NixOS/nixpkgs · GitHub
because I failed my rebase…

ius · December 10, 2022, 1:38pm

Related fallout PR at nixos/avahi: revert closing firewall port by default by SuperSandro2000 · Pull Request #205399 · NixOS/nixpkgs · GitHub (posted my comment there)