diff options
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/interfaces.nix | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/sys/net/interfaces.nix b/sys/net/interfaces.nix index 5bea211..3295e7f 100644 --- a/sys/net/interfaces.nix +++ b/sys/net/interfaces.nix @@ -18,10 +18,19 @@ in config = mkIf cfg.enable { boot.kernel.sysctl = { - "net.ipv4.conf.all.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - "net.ipv4.conf.default.forwarding" = true; - "net.ipv6.conf.default.forwarding" = true; + # rp_filter=1 reemplazado por nixos-fw-rpfilter + "net.ipv4.conf.all.rp_filter" = mkForce 2; + "net.ipv4.conf.default.rp_filter" = mkForce 2; + + "net.ipv4.conf.all.forwarding" = mkForce true; + "net.ipv6.conf.all.forwarding" = mkForce true; + "net.ipv4.conf.default.forwarding" = mkForce true; + "net.ipv6.conf.default.forwarding" = mkForce true; + + "net.ipv4.conf.all.accept_redirects" = mkForce false; + "net.ipv6.conf.all.accept_redirects" = mkForce false; + "net.ipv4.conf.default.accept_redirects" = mkForce false; + "net.ipv6.conf.default.accept_redirects" = mkForce false; }; environment.systemPackages = with pkgs; [ @@ -38,6 +47,9 @@ in hostName = cfg.hostname; firewall = { + logReversePathDrops = true; + checkReversePath = "strict"; + extraCommands = mkBefore '' ip46tables -t filter -P INPUT DROP ip46tables -t filter -P FORWARD ACCEPT #TODO: DROP |