search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.31k stars 14.27k forks source link

firewalld #165882

Open cawilliamson opened 2 years ago

cawilliamson commented 2 years ago

Project description I'm really just wondering if there's any possibility NixOS will adopt firewalld as a native firewall option?

It seems odd that we have similar options like Shorewall packaged up but not firewalld.

I see there was an effort to package this previously which was then reverted but haven't seen any lively discussion on the topic so thought I'd kick things off.

Metadata

peterhoeg commented 2 years ago

We have firewalld but specifically compile NetworkManager without firewalld support.

For server use, it's probably not worth the effort, but I would love to have proper support for workstations.

I have it on my list although that admittedly doesn't mean very much.

devurandom commented 2 years ago

firewalld is currently packaged (https://github.com/NixOS/nixpkgs/blob/nixos-22.05/pkgs/applications/networking/firewalld/default.nix) but also unusable (at least on unstable / 22.11pre):

systemd[1]: firewalld.service: Service has no ExecStart=, ExecStop=, or SuccessAction=. Refusing.
# /etc/systemd/system/firewalld.service
[Unit]

[Service]
Environment="LOCALE_ARCHIVE=/nix/store/c07saix6160gvdhs78a35hmh4xxcwpc6-glibc-locales-2.35-163/lib/locale/locale-archive"
Environment="PATH=/nix/store/n95s7s6ilkjc7xwqml93acxzj6k0hsfn-coreutils-9.1/bin:/nix/store/k0kpf3r2k1d8p9h0gmx23msw3qrybkfk-findutils-4.9.0/bin:/nix/store/ix6nn9lwp2w04agkfb1wzwvcnis0mmxw-gnugrep-3.7/bin:/nix/store/5mgbisml783jj5mscxjsr4hlbmn25cyr-gnused-4.8/bin:/nix/store/hhwkvh589y34p6znr2rcv28zw9afjccj-systemd-251.4/bin:/nix/store/n95s7s6ilkjc7xwqml93acxzj6k0hsfn-coreutils-9.1/sbin:/nix/store/k0kpf3r2k1d8p9h0gmx23msw3qrybkfk-findutils-4.9.0/sbin:/nix/store/ix6nn9lwp2w04agkfb1wzwvcnis0mmxw-gnugrep-3.7/sbin:/nix/store/5mgbisml783jj5mscxjsr4hlbmn25cyr-gnused-4.8/sbin:/nix/store/hhwkvh589y34p6znr2rcv28zw9afjccj-systemd-251.4/sbin"
Environment="TZDIR=/nix/store/3sfzh696qxfjqvzn9jxcsrs1q01951pn-tzdata-2022c/share/zoneinfo"
peterhoeg commented 1 year ago

Just having it packaged isn't enough. We need it integrated into the NixOS module system. I haven't had a strong motivation to actually work on that since nftables works well enough for my use cases. But yes, we absolutely should have proper support for firewalld.

deviantsemicolon commented 4 months ago

The PR to add module support was closed. Is anyone else willing to add support for firewalld?

kjkent commented 2 weeks ago

Just wanting to add to the voices that firewalld support seems like a good thing.

I saw a few comments on the Discourse along the lines of "you can open ports, for other stuff you can add iptables rules". While true, the use-case of "laptop connecting to > 1 network" is likely common enough to make firewall zones a justifiable security win.