[Nix-dev] Enabling CUPS unconditionally allows UDP/631 on the firewall

Marc Weber marco-oweber at gmx.de
Wed Nov 13 12:37:22 CET 2013


Excerpts from Eelco Dolstra's message of Wed Nov 13 11:47:32 +0100 2013:
> Well, only the administrator can enable the sshd service, anyway.  The question
> is whether it's reasonable to expect that enabling sshd also opens port 22.

Whatever being open means (outside/inside/..)?

The perfect setup tracks
  - which ports apps should be listening on
  - which ports no apps are expected to listen on
There should be a script telling about both
This could be used for monitoring, too.

If you don't expect port 8888 to be used and it is used then you want to
investigate..

Eventually you want to allow access only from some ips etc. is on/off
enough? Or do we need more control? I remember having read about tools
which allow access to ports if you "unlock" them by accessing other
ports in a certain order and the like.

Thus eventually creating an attr set like this could be useful:

usedPorts = {

  // don't allow two services to use 9981. Thus if {port}.udp.by gets
  // set twice cause configuration failure.
  9981.udp = {
    by = "tvheadend";
    allow_from = "127.0.0.1/32";
  }
  9982.tcp = {
    by = "tvheadend";
    protocol = 'http';
    allow_from = "127.0.0.1/32";
  }

}

Then admins can create their own "whitelist" easily by using assertions
and by accessing usedPorts ..
Moreover it would protect against starting two services accessing the
same port by accident. And by introducing "protocol" it would be
possible to define http proxy chains in a "type safer" way.
Eg if apache gets configured to access localhost:8080 but no service is
connfigured to use that port this could be made an early failure

Marc Weber


More information about the nix-dev mailing list