Overwrite firewall settings

anon22412468 · October 7, 2020, 6:59am

I bumped into NixOS peculiarity, due to which, I can’t fully control firewall on my machine. For example, if I enable OpenSSH service, it automatically allows connection to 22nd port in firewall policies. And even if I remove 22nd port from allowedTCPPorts and allowedUDPPorts, this won’t make any sense, because OpenSSH service in NixOS is programmed to open ssh port when this service is being enabled.

What I want is to force overwrite firewall settings in NixOS. I want ssh port to remain filtered, even if OpenSSH service is enabled. Is there any way to do so?

nixinator · October 7, 2020, 6:01pm

in

nixos/modules/services/networking/ssh/sshd.nix

you can set

services.openssh.openFirewall = false;

   openFirewall = mkOption {
        type = types.bool;
        default = true;
        description = ''
          Whether to automatically open the specified ports in the firewall.
        '';
      };

this seems to effect.

 networking.firewall.allowedTCPPorts = if cfg.openFirewall then cfg.ports else [];

later in the code.

anon22412468 · October 8, 2020, 6:22am

Ok. That’s seems to be a solution, but this applies only to this particular case

Many other services do not have this option, which is a pity

jonringer · October 8, 2020, 7:06am

the modules will need to be extended to expose it.

nixinator · October 8, 2020, 8:51am

i think the ssh module is the only one that has this behaviour , all other modules need to be explicitly opened with the firewall if i’m not mistaken.

I think ssh works like this because of deployment / nixos / docker and containers… so you can always get to your deployed machine.

anon22412468 · October 9, 2020, 2:25pm

Nope. Dovecot(IMAP server), Postfix(SMTP server), also opens ports by default

nixinator · October 9, 2020, 11:46pm

I see, i presume the reasoning is , that if your installing these services, you probably want other machines to connect to it, else you won’t be receiving much mail from users outside of that system.

as what the default behaviour should be , it’s tricky… because it’s easy to forget to open up your firewall, leading to a bit of confusion.

Maybe it should be a standard, but if i know nixpkgs, it’s really ‘do what you want, how you want’ and commit.

The question is should all services should be allowed to do this and made a ‘standard’ in nixpkgs?

does nixpkgs even have ‘standards or guidelines’?

primeos · October 11, 2020, 1:45pm

Something like networking.firewall.allowedTCPPorts = lib.mkForce [ ]; should prevent NixOS modules (but also your own modules/options!) from adding ports (by not merging them into the list). But in this case services.openssh.openFirewall = false; is usually better as the SSH module is supposed to be the only module that opens ports (an exception was made as SSH access is very important).

Yes. IIRC there was a “rule” that no other modules should modify firewall settings as that is up to the administrator and should be a conscious choice.

Then I guess we’ve either dropped the rule (not sure how well documented this was) or this was missed during the review (which would be unfortunate…). Personally I don’t think any module/service should open any ports, especially not by default (except SSH of course).

primeos · October 11, 2020, 1:53pm

I just looked at this again and found the old thread: NixOS Firewall should automatically allow ports for enabled services. · Issue #19504 · NixOS/nixpkgs · GitHub

And NixOS - Nixpkgs 21.11 manual still states:

Ensure that the module respect other modules functionality.

For example, enabling a module should not open firewall ports by default.

So I’d consider that a (security) bug of the Dovecot and Postfix modules and think that this should then at least be clearly mentioned in the documentation of their enable options.

hmenke · October 11, 2020, 6:32pm

Are you really sure about that?

$ grep 'firewall' nixpkgs/nixos/modules/services/mail/{dovecot,postfix}.nix
$ grep 'Ports' nixpkgs/nixos/modules/services/mail/{dovecot,postfix}.nix 
$ grep 'TCP' nixpkgs/nixos/modules/services/mail/{dovecot,postfix}.nix
$

Please provide proof.

anon22412468 · October 12, 2020, 8:39am

I’m not using Dovecot and Postfix directly. I’m using this mailserver: simple-nixos-mailserver / nixos-mailserver · GitLab

I assume, it manages firewall rules, but not the Dovecot or Postfix, that it utilizes

hmenke · October 12, 2020, 8:56am

That is something else, entirely, because the simple-nixos-mailserver is not part of nixpkgs. It opens these ports by default because if your mailserver can’t communicate it is completely useless and the overwhelming majority of users will want a useful mailserver.

anon22412468 · October 12, 2020, 10:11am

Opening ports directly to the web - isn’t the only way to make it usable. In my case, I want to hide all my services(except SMTP Server) behind VPN, and be able to access them only while being connected to VPN. So the only two ports, I need to be opened to the world - is VPN port and SMTP port

hmenke · October 12, 2020, 10:25am

But you are also not the majority of users. If you don’t agree with this default you should open an issue here: Issues · simple-nixos-mailserver / nixos-mailserver · GitLab

anon22412468 · October 12, 2020, 10:41am

I’m not arguing with the default standarts. I just wanted to know, if there’s a way to overwrite them, to match my particular case. But, if there’s no way to do so, I’ll be looking for some sort of software solution of this problem(like using ufw instead of default iptables)

hmenke · October 12, 2020, 10:44am

In that case this solution from an earlier post in this thread will do: