[Nix-dev] Enabling CUPS unconditionally allows UDP/631 on the firewall
Moritz Ulrich
moritz at tarn-vedra.de
Tue Nov 12 22:13:31 CET 2013
Peter Simons writes:
> Hi,
>
> > Running sshd without port 22 open doesn't make much sense.
>
> well, I know at least one person who has a locally running SSH daemon
> for no reason other than being able to use "ssh root at localhost" as a
> fancy replacement for sudo. For that use case, it's not necessary (nor
> desirable) to have the firewall enable access from the outside world.
>
> Personally, I would argue that no service should open up ports in the
> firewall, ever. Only the administrator should do that.
I agree here. It's not transparent enough which ports are opened on the
NixOS firewall when you enable service.
Maybe there should be a convention that every service opening ports also
declares a 'port' attribute, enabling configurations like:
networking.firewall.allowedTCPPorts = [ services.sshd.port ];
> Just my 2 cents,
> Peter
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
--
Moritz Ulrich
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20131112/128ebb01/attachment.bin
More information about the nix-dev
mailing list