Firewall: Difference between revisions
imported>Bowmanjd m So minor, but I was confused if networking.nftables _replaced_ or _supplemented_ networking.firewall, and I noticed example configs online that suggested others may be confused as well. |
Reword and refactor layout |
||
| (4 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
NixOS | [[NixOS]] includes an integrated firewall based on [https://www.netfilter.org/ iptables]/[https://www.nftables.org/ nftables], which can be configured declaratively through the [[NixOS system configuration]]. By default, the firewall is enabled and restricts incoming network connections, allowing users to explicitly define which ports and services should be accessible. | ||
== Enable == | == Enable == | ||
The firewall is enabled | The firewall is enabled by default on NixOS. To explicitly ensure it is enabled, add the following option to your system configuration: | ||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | {{file|/etc/nixos/configuration.nix|nix|<nowiki> | ||
networking.firewall.enable = true; | networking.firewall.enable = true; | ||
</nowiki>}} | </nowiki>}} | ||
With the firewall enabled, all local ports and services will be unreachable from external connections unless explicitly allowed. | |||
To use the newer nftables backend instead of iptables, set the option {{nixos:option|networking.nftables.enable}} to true. | |||
== Configuration == | == Configuration == | ||
| Line 17: | Line 17: | ||
To allow specific TCP/UDP ports or port ranges on all interfaces, use following syntax: | To allow specific TCP/UDP ports or port ranges on all interfaces, use following syntax: | ||
< | {{file|/etc/nixos/configuration.nix|nix|<nowiki> | ||
networking.firewall = { | networking.firewall = { | ||
enable = true; | |||
allowedTCPPorts = [ 80 443 ]; | |||
allowedUDPPortRanges = [ | |||
{ from = 4000; to = 4007; } | |||
{ from = 8000; to = 8010; } | |||
]; | |||
}; | }; | ||
</ | </nowiki>}} | ||
Refer to {{nixos:option|networking.firewall}} for more firewall module options. | |||
{{note|Many services also provide an option to open the required firewall ports automatically. For example, the media server Jellyfin offers the option <code><nowiki>services.jellyfin.openFirewall = true;</nowiki></code> which will open the required TCP ports.}} | {{note|Many services also provide an option to open the required firewall ports automatically. For example, the media server Jellyfin offers the option <code><nowiki>services.jellyfin.openFirewall = true;</nowiki></code> which will open the required TCP ports.}} | ||
{{warning|Firewall rules may be overwritten by [[Docker]], as per https://github.com/NixOS/nixpkgs/issues/111852}} | |||
=== Interface specific rules === | |||
networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ]; | |||
</ | It is possible to define firewall rules for specific network interfaces. This can be useful for allowing different ports or services on different network connections. Add the following to your system configuration: | ||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | |||
networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ]; | |||
</nowiki>}} | |||
In this case, ports <code>80</code> and <code>443</code> will be allowed for the interface <code>eth0</code>. | In this case, ports <code>80</code> and <code>443</code> will be allowed for the interface <code>eth0</code>. | ||
== | == Tips and tricks == | ||
=== Temporary firewall rules === | |||
If using iptables, for temporary changes to the firewall rules, you can install the [https://search.nixos.org/packages?query=nixos-firewall-tool <code>nixos-firewall-tool</code>] package, which is a [https://github.com/NixOS/nixpkgs/blob/7eee17a8a5868ecf596bbb8c8beb527253ea8f4d/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh thin wrapper] around <code>iptables</code>. | |||
[[Category:Server]] | |||
[[Category:Applications]] | |||
Latest revision as of 17:48, 13 June 2025
NixOS includes an integrated firewall based on iptables/nftables, which can be configured declaratively through the NixOS system configuration. By default, the firewall is enabled and restricts incoming network connections, allowing users to explicitly define which ports and services should be accessible.
Enable
The firewall is enabled by default on NixOS. To explicitly ensure it is enabled, add the following option to your system configuration:
❄︎ /etc/nixos/configuration.nix
networking.firewall.enable = true;
With the firewall enabled, all local ports and services will be unreachable from external connections unless explicitly allowed.
To use the newer nftables backend instead of iptables, set the option networking.nftables.enable to true.
Configuration
To allow specific TCP/UDP ports or port ranges on all interfaces, use following syntax:
❄︎ /etc/nixos/configuration.nix
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
allowedUDPPortRanges = [
{ from = 4000; to = 4007; }
{ from = 8000; to = 8010; }
];
};
Refer to networking.firewall for more firewall module options.
Note: Many services also provide an option to open the required firewall ports automatically. For example, the media server Jellyfin offers the option
services.jellyfin.openFirewall = true; which will open the required TCP ports.⚠︎
Warning: Firewall rules may be overwritten by Docker, as per https://github.com/NixOS/nixpkgs/issues/111852
Interface specific rules
It is possible to define firewall rules for specific network interfaces. This can be useful for allowing different ports or services on different network connections. Add the following to your system configuration:
❄︎ /etc/nixos/configuration.nix
networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ];
In this case, ports 80 and 443 will be allowed for the interface eth0.
Tips and tricks
Temporary firewall rules
If using iptables, for temporary changes to the firewall rules, you can install the nixos-firewall-tool package, which is a thin wrapper around iptables.