[bug#65275] [PATCH] services: %default-nftables-ruleset: Tighten the rul

guix-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#65275] [PATCH] services: %default-nftables-ruleset: Tighten the rul

From:	Tomas Volf
Subject:	[bug#65275] [PATCH] services: %default-nftables-ruleset: Tighten the rules.
Date:	Mon, 14 Aug 2023 01:21:33 +0200

Packets for local host IP ranges should be coming only over lo.  If that is
not the case, we should drop them.  Use iif for the check instead of iifname,
lo is guaranteed to exists, and iif is faster.

* gnu/services/networking.scm: Tighten the rules.
---
 gnu/services/networking.scm | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 5657b141d9..e24d2a876a 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -1804,7 +1804,10 @@ (define %default-nftables-ruleset
     ct state { established, related } accept
 
     # allow from loopback
-    iifname lo accept
+    iif lo accept
+    # drop connections to lo not coming from lo
+    iif != lo ip daddr 127.0.0.1/8 drop
+    iif != lo ip6 daddr ::1/128 drop
 
     # allow icmp
     ip protocol icmp accept

base-commit: be6f5edd445850720dfcec2642db643b84fc0645
-- 
2.41.0

[Prev in Thread]

Current Thread

[Next in Thread]

[bug#65275] [PATCH] services: %default-nftables-ruleset: Tighten the rules., Tomas Volf <=

Prev by Date: [bug#65258] [PATCH 2/2] gnu: emacs-semi-epg: Update to 1.14.6-246.9370961.
Next by Date: [bug#65278] [PATCH] gnu: webrtc-for-telegram-desktop: Update to commit 77c2121f7e6b8e694d6e908bbbe9be24214097da.
Previous by thread: [bug#65272] [PATCH] gnu: Add emacs-notmuch-indicator.
Next by thread: [bug#65278] [PATCH] gnu: webrtc-for-telegram-desktop: Update to commit 77c2121f7e6b8e694d6e908bbbe9be24214097da.
Index(es):
- Date
- Thread