Firewall is broken #1

New issue

Closed

opened 2022-08-24 13:09:25 +00:00 by quentin · 1 comment

quentin commented

2022-08-24 13:09:25 +00:00

Owner

When we change the firewall config, sometimes it breaks and fails to load the new rules, and we don't know how to exit from this schrödinger state.

The way that the firewall is handled on NixOS is a bit ugly, through generated scripts.

An hypothesis is that when we add a new rule with its unload counterpart, it fails to stop as it tries to unload a rule that does not exist yet during the restart. But we are not sure....

When we change the firewall config, sometimes it breaks and fails to load the new rules, and we don't know how to exit from this schrödinger state. The way that the firewall is handled on NixOS is a bit ugly, through generated scripts. An hypothesis is that when we add a new rule with its unload counterpart, it fails to stop as it tries to unload a rule that does not exist yet during the restart. But we are not sure....

quentin commented

2022-08-24 13:16:10 +00:00

Author

Owner

This script is failing:

cat /nix/store/75b449qa182j3pbbcjzw2cp4gm1yhnrm-firewall-reload/bin/firewall-reload
#! /nix/store/40iwnlr30ykqm5ynm0bbk6bsjjc750ad-bash-5.1-p16/bin/bash -e
# Helper command to manipulate both the IPv4 and IPv6 tables.
ip46tables() {
  iptables -w "$@"
  ip6tables -w "$@"

}


# Create a unique drop rule
ip46tables -D INPUT -j nixos-drop 2>/dev/null || true
ip46tables -F nixos-drop 2>/dev/null || true
ip46tables -X nixos-drop 2>/dev/null || true
ip46tables -N nixos-drop
ip46tables -A nixos-drop -j DROP

# Don't allow traffic to leak out until the script has completed
ip46tables -A INPUT -j nixos-drop

iptables -D INPUT -s 192.168.1.254 -j ACCEPT
iptables -D INPUT -s 172.17.0.0/16 -j ACCEPT
iptables -D INPUT -s 10.83.0.0/16 -j ACCEPT


if /nix/store/kmynm1hdpp3a1y9gyxlcgj1hvrxnzjpz-firewall-start/bin/firewall-start; then
  ip46tables -D INPUT -j nixos-drop 2>/dev/null || true
else
  echo "Failed to reload firewall... Stopping"
  /nix/store/qlxf01sq8w8d11sjw448cyvdcxl8shkz-firewall-stop/bin/firewall-stop
  exit 1
fi

but we can make it work by running this before:


iptables -A INPUT -s 192.168.1.254 -j ACCEPT
iptables -A INPUT -s 172.17.0.0/16 -j ACCEPT
iptables -A INPUT -s 10.83.0.0/16 -j ACCEPT

and:

systemctl restart firewall

This script is failing: ``` cat /nix/store/75b449qa182j3pbbcjzw2cp4gm1yhnrm-firewall-reload/bin/firewall-reload #! /nix/store/40iwnlr30ykqm5ynm0bbk6bsjjc750ad-bash-5.1-p16/bin/bash -e # Helper command to manipulate both the IPv4 and IPv6 tables. ip46tables() { iptables -w "$@" ip6tables -w "$@" } # Create a unique drop rule ip46tables -D INPUT -j nixos-drop 2>/dev/null || true ip46tables -F nixos-drop 2>/dev/null || true ip46tables -X nixos-drop 2>/dev/null || true ip46tables -N nixos-drop ip46tables -A nixos-drop -j DROP # Don't allow traffic to leak out until the script has completed ip46tables -A INPUT -j nixos-drop iptables -D INPUT -s 192.168.1.254 -j ACCEPT iptables -D INPUT -s 172.17.0.0/16 -j ACCEPT iptables -D INPUT -s 10.83.0.0/16 -j ACCEPT if /nix/store/kmynm1hdpp3a1y9gyxlcgj1hvrxnzjpz-firewall-start/bin/firewall-start; then ip46tables -D INPUT -j nixos-drop 2>/dev/null || true else echo "Failed to reload firewall... Stopping" /nix/store/qlxf01sq8w8d11sjw448cyvdcxl8shkz-firewall-stop/bin/firewall-stop exit 1 fi ``` but we can make it work by running this before: ``` iptables -A INPUT -s 192.168.1.254 -j ACCEPT iptables -A INPUT -s 172.17.0.0/16 -j ACCEPT iptables -A INPUT -s 10.83.0.0/16 -j ACCEPT ``` and: ``` systemctl restart firewall ```

quentin closed this issue

2023-03-24 17:46:04 +00:00

No labels

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Deuxfleurs/nixcfg#1

No description provided.