BenediktSeidl/nixos-check_mk_agent-overlay

Insecure openFirewall

Opened this issue · 1 comments

RafaelKr commented

With the current openFirewall configuration Port 6556 is opened for everyone. So you can call telnet <IP> 6556 from any other device to see all Monitoring information.

I used the following configuration (for nftables) instead:

{
  config,
  pkgs,
  check_mk_agent,
  ...
}:
let
  cfg = config.services.check_mk_agent;
  monitoringServerIp = "123.123.123.123";
in
{
  imports = [ check_mk_agent.nixosModules.check_mk_agent ];

  config = {
    services.check_mk_agent = {
      enable = true;
      bind = "0.0.0.0";
      openFirewall = false;
      package = pkgs.check_mk_agent.override { enablePluginSmart = true; };
    };

    networking.firewall.extraInputRules = ''
      ip saddr ${monitoringServerIp} tcp dport ${toString cfg.port} accept
    '';
  };
}
BenediktSeidl commented

I thought this was the default for all "official" nixos configuration. I just picked some random examples from search.nixos.org

This seems to confirm my gut feeling: If you just want to open the firewall to everyone you can use that option, otherwise you have to configure your firewall on your own. I think this makes sense, because the flake author can not know whether the system uses iptables, nftables or other higher level firewall systems.

I too have special firewall configuration in my setup via networking.firewall.extraCommands.

Do you have an example of other modules or flakes that have a more advanced firewall configuration option?