[RFC] Modularize the firewall and nixify the rules

[primeos]

tl;dr - The goal is to have a basic firewall module with nixified rules and provide back-end modules like iptables and nftables that can implement the rules from the firewall module or be used on their own (for extended functionality). While thinking of a new design we should try to solve as much current problems as possible and consider as many use-cases as possible.

---

Issue description

Note: Consider this an early preview, I haven't yet to read through all issues/PRs again. Feel free to come back later if you don't want to actively participate in the discussion.

Currently we have one module services.networking.firewall that does all the work. The complete module is based around iptables and limited in functionality.

Imho we might have to rethink this in order to allow more complex setups without disabling the firewall and managing it manually (by using systemd services or nix hacks).

Currently there are the multiple ways to configure a firewall on a GNU/Linux system, the most known solutions are probably:

• iptables (the current "default")
• nftables (the successor of iptables)
• ufw (uncomplicated firewall, based on iptables)
• There are multiple console and GUI frontends for iptables (a list can e.g. be fond on the Arch-Wiki)

This list can change (and most likely will at some point). Even only both iptables and nftables would probably unnecessarily complicate the firewall module. It would therefore probably be a good idea to write a generic firewall module (which would require nixifying (basic) firewall rules) and having separate "extension" modules (like iptables and nftables) that can provide back-ends for implementing the rules from the firewall module. That way we only have to specify our firewall rules only once and a user can use an option to choose between the different back-ends. Since different back-ends can provide different functionality/extensions we should probably make sure that a user can simply disable the firewall module and e.g. use the nftables module directly.

Currently we also have the problem that we can't control the complete firewall because some other "things" (official modules like virtualisation.xen-dom0, user/custom modules(?), programs, etc.) are directly interacting with the firewall. Imho we should try to solve this by making an announcement on nix-dev and ask everyone to check whether their modules/programs require this and if we could solve this (e.g. by printing warnings/errors when a user is using an incompatible program/module together with networking.firewall.enable = true or by using the firewall module instead of the direct interaction.

Also there are some use cases which we're not covering ATM like providing a script for iptables-restore or preserving the firewall state (i.e. saving the rules via iptables-save) before shutting down.

Please let me know what you think, I would be grateful for any feedback 😄
Feel free to point out anything I missed, let me know if you disagree with something, add suggestions/questions, etc.
It might be a good idea to quote parts of this when relevant because this is a pretty complex topic (imho) and I might have to heavily edit this text (it would probably make sense to use something like Etherpad - feel free to create one or provide other suggestions).

Related

PRs

• Finer-grained firewall: allow specific hosts, in particular to SSH
• Firewall: Add support for arbitrary rules for input, output and forward
• nftables module: Add new module for nftables firewall settings

Issues

• NixOS Firewall should automatically allow ports for enabled services.
• nixos/{firewall,nat}: Standardize around an iptables-restore / nftables solution
• for nixos-rebuild, old value of firewall.extraStopCommands should be used.
• Create a "high security" profile

[c0bw3b]

Well yes this is a useful RFC since firewalling seems to be a recurrent topic.

I've been using NixOS only recently for my dedicated webserver hosting all the stuff I need or want to play with. :)
Firewalling was not an issue since my needs were quite simple : incoming 80/tcp and 443/tcp are allowed through networking.firewall.allowedTCPPorts and the specific port I use in services.openssh.ports is also passed to the firewall.
But clearly I can see the need for more flexibility. Like allowing access to a port from a specific set/range of IP addresses.

The following are just my opinions and everyone can disagree. :)

On the topic of use cases

I think there is a right balance between completeness and usability. For me the sweet spot to aim for would be to cover the needs of workstations, servers and cloud instances. And I believe the more complex networking setups (firewall builders, NixOS on a router machine, lots of NAT rules, ...) are better served with tools like Shorewall or Ferm. These tools already offer the needed layer of abstraction and the possibility to save/restore rulesets to/from files.
That's why I prefer the approach of #22586 over #12940.
If we try to cover advanced firewalling through a NixOS service module I fear that :

• one would end up rewriting Ferm/Shorewall/ufw in Nix ;
• the firewall.nix definition would be bloated in no time ;
• it could make setting up simple rules quite difficult because too many subcommands available ;
• man configuration.nix or searching for "firewall" on Nixos.org options page won't help much and firewalling would require a manual of its own.

On the topic of FW engine modularity

I think the code needed to implement every firewall subcommand for iptables and nftables would be too cumbersome and difficult to read/maintain/evolve. Plus nftables may be not mature enough yet, although it seems almost there [1]. Making a better firewall abstraction layer assuming iptables seems more of a reachable goal.
But I also want to use nftables, so I feel the parallel module proposed in #18842 is a good solution. Provided it clearly assert that one can't use it alongside the 'standard' firewall, which it does.
And when the time comes to make nftables the default in NixOS we will just need to rename 1 or 2 nix module definitions and maybe add some code to migrate using iptables-translate [2].

On the topic of interaction with the firewall

Other modules and services should use the NixOS firewall commands when possible. OpenSSH does it. This could be enforce through PR review.
But in the end you can't prevent a program to create dynamic rules at runtime : think fail2ban for example. And there will always be a complex service with a good reason for directly calling system commands (Xen-dom0 or else).

On the topic of atomic ruleset change

I must admit this is a little bit over my head... It seems a proper iptables-save/iptables-restore to/from a file does the job for a reload. But if you roll back to a previous NixOS generation you don't want to restore dynamic rules out of the context of their creation...

1. Either there is a way to save only the ruleset defined by the NixOS firewall and we reload other services after an iptables-restore (service interruption is to be expected) ...
2. ... or we save and restore the whole active ruleset and we rely on the modules to properly handle things in case of a system rollback ?
   For example, I don't know how fail2ban behaves if you delete its chains and rules. It is supposed to have a DB for persistence so it should recreate rules after reloading its systemd unit...

References

[1] https://developers.redhat.com/blog/2016/10/28/what-comes-after-iptables-its-successor-of-course-nftables/
[2] https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

[CapSel]

I believe that implementation of another firewall frontend would be too complicated. I suggest delegating firewall functionality to some other frontend (ufw perhaps) and using its own language. As another, more advanced, mode just allow plain iptables rules with ability to generate rules by user templates.

For example nixos-rebuild would pass maps (associative arrays) with all services, their ports, to user template, and output of this template would be stored as server's firewall configuration. User templates should be as simple as possible leaving "heavy logic" to user nix file that would use templates.

There can be only one firewall manager at a time. All managers are (should be) aware of services like fail2ban or sshguard. Usually those services are aware of different firewall managers.

While implementing solution please don't forget about options for kernel modules like nf_conntrack_ftp - ports. Possibly other modules have similar options.

I'm new to nixos.

[primeos]

Hey @c0bw3b and @CapSel, thank you very much for your awesome feedback and sorry for the late reply...

Some quick notes:

I think there is a right balance between completeness and usability.

Yeah, that's a good point and feedback from the community really helps here.

I also noticed that I failed to mention some points:

The nixifying of firewall rules wasn't intended to replace existing tools like ufw. I agree that we should try to keep it as minimal as possible and I think it would be helpful for the following:

• Make it easier to switch between iptables and nftables.
• Possibly use it for "services" as described here: NixOS Firewall should automatically allow ports for enabled services. #19504 (comment) (e.g. when we want to filter source and/or destination IP addresses)
• Implement as many networking.firewall options with it as possible (in order to reduce the code redundancy for the different backends, but looking at this again I don't really think that would work out...)

I think the code needed to implement every firewall subcommand for iptables and nftables would be too cumbersome and difficult to read/maintain/evolve.

Right, that would make no sense...

iptables-translate

Could be helpful, didn't knew about this.

Other modules and services should use the NixOS firewall commands when possible. OpenSSH does it. This could be enforce through PR review.

Actually they shouldn't (OpenSSH is an exception) and as long as they need simple static rules that isn't much of a problem.
But obviously some modules/programs require dynamic and/or complex rules - I need to rethink this...

But in the end you can't prevent a program to create dynamic rules at runtime : think fail2ban for example. And there will always be a complex service with a good reason for directly calling system commands (Xen-dom0 or else).

It would probably make sense to introduce an option like networking.firewall.mutable and modules like fail2ban require (assert) this option to be true (while the default might be false). The problem is that we can't really have an atomic firewall as long as some other programs or modules are changing rules at runtime. That way at least users who don't need them could have an atomic firewall and we could probably make tools like fail2ban write to a file and restore their rules after we reset the firewall. Probably the best solution would be to provide a fake iptables tool to these services and e.g. save them to /var/lib/firewall/... but that would probably be too complex...

But if you roll back to a previous NixOS generation you don't want to restore dynamic rules out of the context of their creation...

I guess this is generally problematic but I personally would just reload the rules from the older generation. This might not always be desired but at least it's the purpose of a roll back and since other stuff (like service ports) could have changed as well this is probably the best way not to break anything. But this only covers static rules and we would probably have to reload the dynamic rules (e.g. if we would manage to save them to /var/lib/firewall/...) as well (depending on mutable or an extra option).

For example nixos-rebuild would pass maps (associative arrays) with all services, their ports, to user template, and output of this template would be stored as server's firewall configuration. User templates should be as simple as possible leaving "heavy logic" to user nix file that would use templates.

I'm sorry, but I don't really understand this :o

While implementing solution please don't forget about options for kernel modules like nf_conntrack_ftp

Good point.

I'm new to nixos.

Welcome to the community 😄

[CMCDragonkai]

There's no way to specify to open a port only on one specific interface/ip address right now?

[primeos]

Only via networking.firewall.extraCommands (or networking.nftables.ruleset[File]), but I guess that's not what you want.

[0xABAB]

Good idea to cover some set of use cases via a Nix syntax.

The challenge is in making it such that it won't break from release to release.