diff options
| author | lassulus <lass@aidsballs.de> | 2015-07-13 13:39:49 +0200 |
|---|---|---|
| committer | lassulus <lass@aidsballs.de> | 2015-07-16 15:47:28 +0200 |
| commit | d629bee9546fa6ed6a018f2b6d491a851ad12738 (patch) | |
| tree | 049777923f431beab9b3fd0a5e1c3953f4418451 /old/modules/lass/base.nix | |
| parent | 02261729c0a4108f2fcccf062b603d62f56782bf (diff) | |
"rebase"
Diffstat (limited to 'old/modules/lass/base.nix')
| -rw-r--r-- | old/modules/lass/base.nix | 61 |
1 files changed, 40 insertions, 21 deletions
diff --git a/old/modules/lass/base.nix b/old/modules/lass/base.nix index 3a8d879eb..159372a24 100644 --- a/old/modules/lass/base.nix +++ b/old/modules/lass/base.nix @@ -3,6 +3,7 @@ { imports = [ ./sshkeys.nix + ./iptables ]; nix.useChroot = true; @@ -65,6 +66,10 @@ ''; }; + security.setuidPrograms = [ + "sendmail" + ]; + services.gitolite = { enable = true; dataDir = "/home/gitolite"; @@ -84,27 +89,41 @@ RuntimeMaxUse=128M ''; - networking.firewall = { + lass.iptables = { enable = true; - - allowedTCPPorts = [ - 22 - ]; - - extraCommands = '' - iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - iptables -A INPUT -j ACCEPT -i lo - iptables -A INPUT -j ACCEPT -p icmp - - #iptables -N Retiolum - iptables -A INPUT -j Retiolum -i retiolum - iptables -A Retiolum -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - iptables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset - iptables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable - iptables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable - iptables -A Retiolum -j REJECT - ''; - - extraStopCommands = "iptables -F"; + tables = { + filter.INPUT.policy = "DROP"; + filter.FORWARD.policy = "DROP"; + filter.INPUT.rules = [ + { predicate = "-i lo"; target = "ACCEPT"; } + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } + { predicate = "-p icmp"; target = "ACCEPT"; } + { predicate = "-p tcp --dport 22"; target = "ACCEPT"; } + ]; + }; }; + + #Networking.firewall = { + # enable = true; + + # allowedTCPPorts = [ + # 22 + # ]; + + # extraCommands = '' + # iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED + # iptables -A INPUT -j ACCEPT -i lo + # #http://serverfault.com/questions/84963/why-not-block-icmp + # iptables -A INPUT -j ACCEPT -p icmp + + # #TODO: fix Retiolum firewall + # #iptables -N RETIOLUM + # #iptables -A INPUT -j RETIOLUM -i retiolum + # #iptables -A RETIOLUM -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED + # #iptables -A RETIOLUM -j REJECT -p tcp --reject-with tcp-reset + # #iptables -A RETIOLUM -j REJECT -p udp --reject-with icmp-port-unreachable + # #iptables -A RETIOLUM -j REJECT --reject-with icmp-proto-unreachable + # #iptables -A RETIOLUM -j REJECT + # ''; + #}; } |