diff options
| author | Alejandro Soto <alejandro@34project.org> | 2025-04-19 11:07:40 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2025-04-19 11:09:59 -0600 |
| commit | 750f76baf34bdd8293216f5c84d55b313f9d714e (patch) | |
| tree | 0933ee2f823d88310be1e67ea21339fb1023f738 /sys/net | |
| parent | 3984c5035854417cd3dbd92dae9a1d8568dc6499 (diff) | |
sys/net: harden firewall reverse-path checks, ICMP redirects
Diffstat (limited to '')
| -rw-r--r-- | sys/net/interfaces.nix | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/sys/net/interfaces.nix b/sys/net/interfaces.nix index 5bea211..3295e7f 100644 --- a/sys/net/interfaces.nix +++ b/sys/net/interfaces.nix @@ -18,10 +18,19 @@ in config = mkIf cfg.enable { boot.kernel.sysctl = { - "net.ipv4.conf.all.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - "net.ipv4.conf.default.forwarding" = true; - "net.ipv6.conf.default.forwarding" = true; + # rp_filter=1 reemplazado por nixos-fw-rpfilter + "net.ipv4.conf.all.rp_filter" = mkForce 2; + "net.ipv4.conf.default.rp_filter" = mkForce 2; + + "net.ipv4.conf.all.forwarding" = mkForce true; + "net.ipv6.conf.all.forwarding" = mkForce true; + "net.ipv4.conf.default.forwarding" = mkForce true; + "net.ipv6.conf.default.forwarding" = mkForce true; + + "net.ipv4.conf.all.accept_redirects" = mkForce false; + "net.ipv6.conf.all.accept_redirects" = mkForce false; + "net.ipv4.conf.default.accept_redirects" = mkForce false; + "net.ipv6.conf.default.accept_redirects" = mkForce false; }; environment.systemPackages = with pkgs; [ @@ -38,6 +47,9 @@ in hostName = cfg.hostname; firewall = { + logReversePathDrops = true; + checkReversePath = "strict"; + extraCommands = mkBefore '' ip46tables -t filter -P INPUT DROP ip46tables -t filter -P FORWARD ACCEPT #TODO: DROP |