Disable networking.firewall by default #12957
Conversation
As we're going to turn it off by default, so this will make it easier for new and not so savvy users to not open random ports to the outside world. Signed-off-by: aszlig <[email protected]>
The reason for disabling the "firewall" (let's call it just netfilter, shall we?) is that we already have a way to declaratively specify which services we want to run. So we really should *only* run the services that we care for and not introduce additional attack vectors by adding netfilter modules to the kernel (especially the conntrack modules had security flaws in the past). We should also better focus on making the service modules more configurable and by default listen to only the ports that are *necessary* to run the service. As with everything else, the NixOS configuration ultimately should represent the stuff the user *wants* to have and *only* that. Signed-off-by: aszlig <[email protected]>
aszlig
added
0.kind: enhancement
|
By analyzing the blame information on this pull request, we identified @edolstra, @wkennington and @bluescreen303 to be potential reviewers |
|
I still wouldn't say I'm a fan of turning it off by default, since I don't really see a strong argument for doing that. I also don't really understand the argument that turning iptables on will increase the attack surface. It seems far easier to trust that one module than dozens of ad-hoc services and individual users sitting on your computer. |
|
The netfilter modules had vulnerabilities in the past, but that's not the point, because every piece of software has its bugs, but adding more stuff instead of removing stuff is the same way as AV vendors are approaching this, by blacklisting stuff that's known to be bad instead of whitelisting stuff that's known to be good. As for the netfilter, the "dozens" of ad-hoc services are only relevant for desktop systems if users aren't careful enough to disable them in the first place, on dedicated servers however there shouldn't run any "ad-hoc services" which you don't explicitly enable in your NixOS config. And even if it comes to "ad-hoc services" in terms of nixpkgs, we should rather make listening to these ports optional than make it the default. For example if you have an IM client and want to transfer files, you may actively want to open ports and the only thing the netfilter is doing is making it even harder for you to actually do what you want to do. |
|
What I meant by dozens isn't that you're simultaneously running dozens of services, but it's a single reasonably well known and tested entity blocking entry vs. a suite of codebases of varying quality, even if you're only ever enabling one of them at a time. If I'm spinning up a service, I don't want to have to trust that your |
|
That |
|
Then I'm even less confident in this being a good idea. I don't want to trust a whole bunch of module authors to have done this properly and have working VM tests that catch this. Most services in NixOS don't have VM tests, and while I'd like that to improve, this seems like a lot more potential holes in exchange for a bit of convenience when running p2p desktop sharing programs. |
|
Previous discussion: #2135, NixOS/nixos#55 I don't really see what changed, so I'm 👎 on this - I don't think we should ship without a firewall by default. People who care can disable it easily enough. |
|
I agree with @edolstra |
|
@edolstra: Still your argument on defense in depth really doesn't hold, because it does not protect services that are already exempt from firewall rules. It only protects you from rogue programs that are randomly binding to everything. Programs like this should not run on your machine and if they're really necessary you'd exempt them anyway... or even sandbox them properly. |
|
Another problem caused by the firewall being on by default: #10101 |
|
@aszlig, what if such rogue program is some malware? |
|
@astsmtl: If malware is on your system, then you're doomed anyway and it can still use outbound connections as well as bind to ports that are exempt from the rules. And if it has |
|
👍 from me. We should have as little as possible enabled by default; on a properly configured system, netfilter doesn't add any security. |
|
This has been discussed before and we've through a lot of trouble at the time to enable the firewall by default in a way that doesn't break people's existing installations. I believe having the firewall enabled by default was the right choice then and it's still the right choice now. 👎 from me on this issue; please don't change the current default setting. |
|
Please just no. 👎 Is implementing https://github.com/t-woerner/firewalld one way to fix this? (Is it maybe not an ideal fit for NixOS because of it's design?) firewalld integrates well with network manager and allows you to have multiple switch-able zones (which are themselves individual configuration rule sets) which can be toggled without any of the reloading of kernel modules normally required to complete configuration changes.
Many have often wondered why we have this thing called dbus which does; things.
Whether to enable a firewall is often a question found in an operating system installer and I am yet to use an installer where the option is disabled by default. |
|
👍 from me. If people want a firewall they can just as easily enable it. |
In case of And the reason why most installers of other distros enable it by default is that they tend to enable services on installation (like for example Debian does or at least has done in the past). NixOS however doesn't have a notion of "installation" but a But anyway, I guess in respect to #12987, let's at least get rid of |
|
I am in favor of disabling the firewall by default. Back as a new user I was astounded that my |
|
We just discovered that the firewall blocks avahi as well. |
I disagree. It is doing exactly what was intended. |
|
I imagine there's a fairly clean split on this issue between people using NixOS as a server vs. those using it as a desktop OS. |
So blocking avahi functionality (with What do you want to do about that? Implicitly disable |
When a firewall is turned on it blocks all traffic by default. This is the intended behaviour. |
|
The problem is that this firewall is turned on without the user even knowing about it, it's kind of hard to suspect breakage due to an option you didn't even know exists. |
|
I was going to suggest to make the nixos installer put But then I realized that this is what this PR does. So +1 from me. (I don't care that much about the default setting, but it clearly needs to be more visible, and this PR does that.) |
|
@bjornfor's point is an important one on this topic in my opinion. 👍 from me also. |
|
FWIW, I agree with the points made by @bjornfor and @aszlig, so 👍. Enabled firewalls by default are only useful if you as the user don't know what you're and the package maintainer doesn't know what he's doing, but this is NixOS and not Fedora, so I guess not that many newbies who don't know about firewalls will use it. Enabling it explicitly and by default in the generated configuration.nix for new installs is the way to go because this is be the first thing a new NixOS user will try and thus will become aware of the firewall. But advanced users that build qemu images or deploy via nixops should know if they need the firewall or not and thus set it explicitly. As a compromise for the people who are against this: Should/could we demand that all services listen on localhost by default except when they can be considered to be secure enough in its default state, e.g. |
|
The change as-is now works fine for people who install a fresh 16.03 system, but people who upgrade to that release from an existing installation might implicitly have their firewall disabled without noticing. |
|
@peti Then let’s put it in a big fat warning box in the release notes. |
|
I don't see a consensus for changing this again with no new arguments (we really don't want to turn the firewall on and off every few releases), and the firewall can be turned off easily for people who don't want it. Since this discussion is likely to go around in circles for a long time I'm going to close this issue. However, we could add a Aside: this is not an appropriate use of |
This got a bit off-topic in #12927 by my comment against having it enabled by default, so let's continue here instead.
As stated in the comment, we really should focus on not opening ports that are not needed to world instead of putting additional netfilter/conntrack modules in front that will increase the attack vector.
After all, if you want a service to be available to the world, the netfilter can't help you either and if you don't want it to be available, why enable the service (or listening to
::) in the first place? Everything that we might want to block or disable can be disabled without relying on netfilter, except a few very specific corner cases (like for example port knocking) which where people can still enable it.The pull request still lacks documentation in the release notes and is primarily there for discussion, in addition to that I'd like to add a few tests (and module fixes) here to ensure that we don't listen to ports that are unnecessary.