Firewall: Difference between revisions

Line 1:

NixOS ~~provides~~ an ~~interface to configure the firewall through the option <code>networking.firewall</code>.~~

[[NixOS]] includes an integrated firewall based on [https://www.netfilter.org/ iptables]/[https://www.nftables.org/ nftables], which can be configured declaratively through the [[NixOS system configuration]]. By default, the firewall is enabled and restricts incoming network connections, allowing users to explicitly define which ports and services should be accessible.

~~The default~~ firewall ~~uses~~ [https://www.netfilter.org/ iptables]~~. To use the newer~~ [https://www.nftables.org/ nftables] ~~instead~~, ~~additionally set <code>networking~~.~~nftables~~.~~enable = true;</code>~~

== Enable ==

The firewall is enabled ~~when not set~~. To explicitly ~~enable~~ it add the following ~~into~~ your system configuration:

The firewall is enabled by default on NixOS. To explicitly ensure it is enabled, add the following option to your system configuration:

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

networking.firewall.enable = true;

</nowiki>}}

~~This will make~~ all local ports and services unreachable from external connections.

With the firewall enabled, all local ports and services will be unreachable from external connections unless explicitly allowed.

To use the newer nftables backend instead of iptables, set the option {{nixos:option|networking.nftables.enable}} to true.

== Configuration ==

Line 17:

To allow specific TCP/UDP ports or port ranges on all interfaces, use following syntax:

<~~syntaxhighlight lang="nix~~>

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

networking.firewall = {

enable = true;

allowedTCPPorts = [ 80 443 ];

allowedUDPPortRanges = [

{ from = 4000; to = 4007; }

{ from = 8000; to = 8010; }

];

};

</~~syntaxhighlight~~>

</nowiki>}}

Refer to {{nixos:option|networking.firewall}} for more firewall module options.

{{note|Many services also provide an option to open the required firewall ports automatically. For example, the media server Jellyfin offers the option <code><nowiki>services.jellyfin.openFirewall = true;</nowiki></code> which will open the required TCP ports.}}

~~Interface-specific firewall~~ rules ~~can~~ be ~~applied like this~~:

{{warning|Firewall rules may be overwritten by [[Docker]], as per https://github.com/NixOS/nixpkgs/issues/111852}}

~~<syntaxhighlight lang~~="nix>

=== Interface specific rules ===

networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ];

</~~syntaxhighlight~~>

It is possible to define firewall rules for specific network interfaces. This can be useful for allowing different ports or services on different network connections. Add the following to your system configuration:

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ];

</nowiki>}}

In this case, ports <code>80</code> and <code>443</code> will be allowed for the interface <code>eth0</code>.

~~If using iptables, for temporary changes to the firewall rules, you can install the [https://search.nixos.org/packages?query~~=nixos-firewall-tool <code>nixos-firewall-tool</code>] package, which is a [https://github.com/NixOS/nixpkgs/blob/7eee17a8a5868ecf596bbb8c8beb527253ea8f4d/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh thin wrapper] around <code>iptables</code>.

== Tips and tricks ==

== ~~Warning~~ ==

=== Temporary firewall rules ===

~~Firewall~~ rules ~~may be overwritten by Docker~~, ~~as per~~ https://github.com/NixOS/nixpkgs/~~issues~~/~~111852~~

If using iptables, for temporary changes to the firewall rules, you can install the [https://search.nixos.org/packages?query=nixos-firewall-tool <code>nixos-firewall-tool</code>] package, which is a [https://github.com/NixOS/nixpkgs/blob/7eee17a8a5868ecf596bbb8c8beb527253ea8f4d/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh thin wrapper] around <code>iptables</code>.

[[Category:Server]]

[[Category:Applications]]

@@ Line 1: / Line 1: @@
-NixOS provides an interface to configure the firewall through the option <code>networking.firewall</code>.
+[[NixOS]] includes an integrated firewall based on [https://www.netfilter.org/ iptables]/[https://www.nftables.org/ nftables], which can be configured declaratively through the [[NixOS system configuration]]. By default, the firewall is enabled and restricts incoming network connections, allowing users to explicitly define which ports and services should be accessible.
-The default firewall uses [https://www.netfilter.org/ iptables]. To use the newer [https://www.nftables.org/ nftables] instead, additionally set <code>networking.nftables.enable = true;</code>
 == Enable ==
-The firewall is enabled when not set. To explicitly enable it add the following into your system configuration:
+The firewall is enabled by default on NixOS. To explicitly ensure it is enabled, add the following option to your system configuration:
 {{file|/etc/nixos/configuration.nix|nix|<nowiki>
-networking.firewall.enable = true;
+  networking.firewall.enable = true;
 </nowiki>}}
-This will make all local ports and services unreachable from external connections.
+With the firewall enabled, all local ports and services will be unreachable from external connections unless explicitly allowed.
+To use the newer nftables backend instead of iptables, set the option {{nixos:option|networking.nftables.enable}} to true.
 == Configuration ==
@@ Line 17: / Line 17: @@
 To allow specific TCP/UDP ports or port ranges on all interfaces, use following syntax:
-<syntaxhighlight lang="nix>
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
-networking.firewall = {
+  networking.firewall = {
-  enable = true;
+    enable = true;
-  allowedTCPPorts = [ 80 443 ];
+    allowedTCPPorts = [ 80 443 ];
-  allowedUDPPortRanges = [
+    allowedUDPPortRanges = [
-    { from = 4000; to = 4007; }
+      { from = 4000; to = 4007; }
-    { from = 8000; to = 8010; }
+      { from = 8000; to = 8010; }
-  ];
+    ];
-};
+  };
-</syntaxhighlight>
+</nowiki>}}
+Refer to {{nixos:option|networking.firewall}} for more firewall module options.
 {{note|Many services also provide an option to open the required firewall ports automatically. For example, the media server Jellyfin offers the option <code><nowiki>services.jellyfin.openFirewall = true;</nowiki></code> which will open the required TCP ports.}}
-Interface-specific firewall rules can be applied like this:
+{{warning|Firewall rules may be overwritten by [[Docker]], as per https://github.com/NixOS/nixpkgs/issues/111852}}
-<syntaxhighlight lang="nix>
+=== Interface specific rules ===
-networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ];
-</syntaxhighlight>
+It is possible to define firewall rules for specific network interfaces. This can be useful for allowing different ports or services on different network connections. Add the following to your system configuration:
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+  networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ];
+</nowiki>}}
 In this case, ports <code>80</code> and <code>443</code> will be allowed for the interface <code>eth0</code>.
-If using iptables, for temporary changes to the firewall rules, you can install the [https://search.nixos.org/packages?query=nixos-firewall-tool <code>nixos-firewall-tool</code>] package, which is a [https://github.com/NixOS/nixpkgs/blob/7eee17a8a5868ecf596bbb8c8beb527253ea8f4d/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh thin wrapper] around <code>iptables</code>.
+== Tips and tricks ==
-== Warning ==
+=== Temporary firewall rules ===
-Firewall rules may be overwritten by Docker, as per https://github.com/NixOS/nixpkgs/issues/111852
+If using iptables, for temporary changes to the firewall rules, you can install the [https://search.nixos.org/packages?query=nixos-firewall-tool <code>nixos-firewall-tool</code>] package, which is a [https://github.com/NixOS/nixpkgs/blob/7eee17a8a5868ecf596bbb8c8beb527253ea8f4d/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh thin wrapper] around <code>iptables</code>.
 [[Category:Server]]
 [[Category:Applications]]