Главная Обзор Помощь
Вход
jbranso
/
gnucode.me
Следить 1
В избранное 1
Ответвить 0
Файлы Обсуждения 0 Запросы на слияние 0 Вики
Дерево: 25246d0b6b
Ветки Метки
gnucode.me
/
site
/
setting-up-a-firewall.html

setting-up-a-firewall.html 10 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121 
  1. <!DOCTYPE html><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><meta name="keywords" content="GNU, Emacs, Libre Software, Hurd, Guile, Guix" /><meta name="description" content="GNUcode.me is a website focusing on libre software projects, especially the GNU project." /><link type="application/atom+xml" rel="alternate" title="GNUcode.me -- Feed" href="/feed.xml" /><a rel="me" href="https://fosstodon.org/@thegnuguy"></a><link type="text/css" href="css/footer.min.css" rel="stylesheet"></link><link type="text/css" href="css/header.min.css" rel="stylesheet"></link><link type="text/css" href="css/main.min.css" rel="stylesheet"></link><title>Setting up a Firewall — GNUcode.me</title></head><body><header><nav><ul><li><a href="index.html">GNUcode.me</a></li><li><a href="services.html">Services</a></li><li><a href="business-ideas.html">Business-ideas</a></li><li><a href="about.html">About</a></li></ul></nav></header><h1>Setting up a Firewall</h1><main><section class="basic-section-padding"><article><h3>by Joshua Branson — January 23, 2023</h3><div><p>Edit: Feb 12: The below firewall does NOT work. I currently do NOT use a
    2. 

  2. firewall on my servers.</p><p>So my guix system servers have been running without a firewall.  I have decided
    3. 

  3. to actually fix that.  Unfortunately, OpenBSD’s pf does not work on linux.  It
    4. 

  4. seems like the best packaged firewall for GNU Guix System is currently provided
    5. 

  5. by the netfilter service.  Luckily Guix’s default server provides a good basic
    6. 

  6. configuration for enabling ssh access to the machine.  That configuration looks
    7. 

  7. like this:</p><pre><code>table inet filter {
    8. 

  8.   chain input {
    9. 

  9.     type filter hook input priority 0; policy drop;
    10. 

  10. 

  11.     # early drop of invalid connections
    12. 

  12.     ct state invalid drop
    13. 

  13. 

  14.     # allow established/related connections
    15. 

  15.     ct state { established, related } accept
    16. 

  16. 

  17.     # allow from loopback
    18. 

  18.     iifname lo accept
    19. 

  19. 

  20.     # allow icmp
    21. 

  21.     ip protocol icmp accept
    22. 

  22.     ip6 nexthdr icmpv6 accept
    23. 

  23. 

  24.     # allow ssh
    25. 

  25.     tcp dport ssh accept
    26. 

  26. 

  27.     # reject everything else
    28. 

  28.     reject with icmpx type port-unreachable
    29. 

  29.   }
    30. 

  30.   chain forward {
    31. 

  31.     type filter hook forward priority 0; policy drop;
    32. 

  32.   }
    33. 

  33.   chain output {
    34. 

  34.     type filter hook output priority 0; policy accept;
    35. 

  35.   }
    36. 

  36. }</code></pre><p>So it looks like I just need to add in policies just after the <code>#allow ssh</code>
    37. 

  37. line.</p><p>It seems like the easiest way to test this service out, is to first, <code>guix install nft</code>, then put your configuration into a file.  Then load in those
    38. 

  38. firewall rules via <code>sudo nft -f nftables.conf</code>.  If those rules end up breaking
    39. 

  39. things, you can revert the firewall to allow everything via <code>sudo nft flush ruleset</code>.  You can also list the current ruleset via <code>sudo nft list ruleset</code>.
    40. 

  40. You can also check the syntax in <code>nftables.conf</code> via <code>sudo nft -cf nftable.conf</code>.</p><p>Well I had a firewall working fairly well.  I tested the firewall rules via
    41. 

  41. <code>sudo nft -f nftables-lamora.conf</code>, and it worked really well. But this scheme
    42. 

  42. code seemed to break everything on the server.  Now, I can’t login to lamora and
    43. 

  43. the websites it hosts are not working.</p><pre><code>(service nftables-service-type
    44. 

  44.          (nftables-configuration
    45. 

  45.           (ruleset
    46. 

  46.            (mixed-text-file &quot;nftables.conf&quot;
    47. 

  47.                             &quot;./nftables-lamora.conf&quot;))))</code></pre><p>I reached out to linode support, and I am able to boot the machine in a rescue
    48. 

  48. image, which is pretty awesome.  From there I might be able to mount the
    49. 

  49. <code>/dev/sda</code> drive such that <code>/gnu/store</code> is set up properly.  But I think that is
    50. 

  50. pretty much beyond me.  Too much work to get correct.  So instead, I shall start
    51. 

  51. from scratch I suppose.  :(</p><p>What if I had just run,</p><pre><code>mount /dev/sda /mnt
    52. 

  52. chroot /mnt
    53. 

  53. sudo guix system roll-back</code></pre><p>That might have worked.  But it also might not have and it might have just taken me
    54. 

  54. longer too.</p><p>Looks like I have a small basic guix image lying around that I can tell linode
    55. 

  55. to use.  Let’s try that.</p><p>Well that caused a kernel panic. That didn’t work. Probably because I told
    56. 

  56. linode to set the root password, and linode doesn’t know how to mess with guix
    57. 

  57. system?</p><p>So I whiped my linode server, and started over.  And it looks like
    58. 

  58. I need to modify the current cookbook entry about running guix system on linode via
    59. 

  59. adding in</p><p><code>sudo apt-get update</code>, then <code>sudo apt-get install gpg</code>.</p><p>Here are some of the commands that I used to set up my new linode server.  It's on the
    60. 

  60. same IP address.  It's currently hosting gnucode.me.</p><pre><code>wget https://notabug.org/jbranso/linode-guix-system-configuration/raw/master/gnucode.me-initial-config.scm
    61. 

  61. mount /dev/sdc /mnt
    62. 

  62. sudo guix system reconfigure locke-lamora-initial-config.scm
    63. 

  63. guix install git
    64. 

  64. mkdir -p ~/prog/gnu/guix/guix-config/
    65. 

  65. cd ~/prog/gnu/guix/guix-config/
    66. 

  66. git clone https://notabug.org/jbranso/linode-guix-system-configuration
    67. 

  67. cd ../
    68. 

  68. git clone https://git.sr.ht/~whereiseveryone/guixrus
    69. 

  69. sudo mkdir -p /srv/www/html</code></pre><p>Now I need to git clone my various static websites on the server.</p><pre><code>cd /srv/www/html
    70. 

  70. sudo git clone https://notabug.org/jbranso/gnucode.me.git
    71. 

  71. sudo git clone https://notabug.org/jbranso/propernaming.git
    72. 

  72. sudo git clone https://notabug.org/jbranso/gnu-hurd.com.git
    73. 

  73. sudo mv propernaming propernaming.org</code></pre><p>So I believe that I need to chmod the files in /srv/www/html, so that nginx can
    74. 

  74. actually serve them. Unfortunately, I cannot do a <code>sudo chown -R nginx /srv</code>,
    75. 

  75. because my current guix system does not have an nginx user yet. But I believe
    76. 

  76. that I can still reconfigure the system, even if nginx will not be able to serve
    77. 

  77. the html files. After I have reconfigured, then I should be able chown the owner
    78. 

  78. of /srv to nginx. In the end I actually just did a <code>cd /srv; sudo chmod -R o+r *</code> and just made every file readable by everyone. That sort of violates the
    79. 

  79. principle of least privledge, oh well.</p><p>Now that I have made some modifications to my gnucode.me-current-config.scm that
    80. 

  80. comments out various certificate files that are not there yet, I can attempt to
    81. 

  81. reconfigure on the server:</p><pre><code>cd prog/gnu/guix/guix-config/linode-guix-system-configuration/
    82. 

  82. sudo guix system reconfigure gnucode.me-current-config.scm
    83. 

  83. 

  84. guix system: error: aborting reconfiguration because commit
    85. 

  85. 9fe5b490df83ff32e2e0a604bf636eca48b9e240 of channel 'guix' is not a descendant
    86. 

  86. of 900d33527c9286a811f064d4bb8f4a9b18d1db0b</code></pre><p>Well let’s try this updating everything.  And I believe that you need to do a
    87. 

  87. guix pull as root at least once.</p><pre><code>su
    88. 

  88. guix pull;
    89. 

  89. exit;
    90. 

  90. guix pull;</code></pre><p>Oh yeah, I also need to power down my linode, delete the debian partition, and
    91. 

  91. resize the guix partition to full size.</p><p>Now I believe that I cannot reconfigure my server with the current
    92. 

  92. <code>gnucode.me-current-config.scm</code>, because nginx will fail to start because the
    93. 

  93. letsencrypt scripts are not there yet. So I need to modify the nginx bits before
    94. 

  94. I can start the service. I also decided to set up <code>guix deploy</code> on my gnucode.me
    95. 

  95. machine, so that reconfiguring the remote server is faster.</p><p>Ok, so I have my current-config for gnucode.me deployed.  Geez, guix deploy is
    96. 

  96. sooo super fast!  And all you need to do is to set up ssh-agent  and customize a
    97. 

  97. deployment list.  I set up ssh-agent via my <code>.bash_profile</code></p><pre><code>cat .bash_profile | grep eval -A 1
    98. 

  98. 

  99. if [[ -z $DISPLAY ]] &amp;&amp; [[ $(tty) = /dev/tty6 ]]; then
    100. 

  100.     eval `ssh-agent -s`
    101. 

  101.     ssh-add
    102. 

  102.     exec dbus-run-session sway
    103. 

  103. fi</code></pre><p>Now all you need to do is customize this:</p><pre><code>(list (machine
    104. 

  104.        (operating-system %system)
    105. 

  105.        (environment managed-host-environment-type)
    106. 

  106.        (configuration (machine-ssh-configuration
    107. 

  107.                        (host-name &quot;45.56.66.20&quot;)
    108. 

  108.                        (system &quot;x86_64-linux&quot;)
    109. 

  109.                        (user &quot;joshua&quot;)
    110. 

  110.                        (identity &quot;~/.ssh/id_rsa&quot;)
    111. 

  111.                        (host-key &quot;ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJgL0hBTWmCVGGvNJYa+YS+fEXs89v0GbdkQ+M+LdZlf root@(none)&quot;)
    112. 

  112.                        (port 63355)))))</code></pre><p>The port is the ssh port.  And the ssh-ed25519 is found on your remote server’s
    113. 

  113. <code>etc/ssh/ssh_host_ed25519_key.pub</code> file.</p><p>Now nginx serves my websites via http.  Let’s get https working.</p><pre><code>sudo /var/lib/certbot/renew-certificates</code></pre><p>Alright, now I can set up my config.scm to allow nginx to serve web traffic via https.</p><p>Well, can I get a nftables service running now?</p><p>At first it seemed that <code>(service nftables-service-type)</code> is apparently good
    114. 

  114. enough to be a decent firewall for my server. Then very quickly I realized that
    115. 

  115. it was a terrible firewall for a server, because it blocked all http and https
    116. 

  116. traffic.</p><p>It looks like the arch linux wiki has a decent configuration example for a server:</p><p>https://wiki.archlinux.org/title/Nftables#Examples</p><p>So I just took the example nftables configuration for a server and used that.
    117. 

  117. The configuration file is here:</p><p>https://notabug.org/jbranso/linode-guix-system-configuration/src/master/nftables.scm</p><p>Let me know if you see that I did something silly in it, because I probably did.</p><p>Bonus paragraph! It took me about 2-4 hours to re-set up my server just the way
    118. 

  118. it was before, except I haven't set up email yet. If you crashed your server
    119. 

  119. lost your backups, how long would it take you to set up you server, just as it
    120. 

  120. was? 2-4 hours is longer than I expected, but I think guix's declarative
    121. 

  121. approach certainly is pretty awesome!</p></div></article></section></main><footer><p>© 2020 Joshua Branson.  The text on this site is free culture under the Creative Commons Attribution Share-Alike 4.0 International license.</p><p>This website is build with Haunt, a static site generator written in Guile Scheme.  Source code is <a href="https://notabug.org/jbranso/gnucode.me">available.</a></p><p>The color theme of this website is based off of the famous <a href="#3f3f3f" target="_blank">zenburn</a> theme.</p></footer></body>
    122.