Firewall: Difference between revisions

(2 intermediate revisions by 2 users not shown)

Line 43:

In this case, ports <code>80</code> and <code>443</code> will be allowed for the interface <code>eth0</code>.

=== Advanced Configuration ===

Some users may want more fine-grained control of how their firewall is configured. This can, when using nftables, be achieved by defining custom tables and chains through {{Nixos:option|networking.nftables.tables}}.

It is important to say that a <code>nixos-fw</code> table with multiple chains will be generated by setting {{Nixos:option|networking.nftables.enable}} to true. These chains can be modified with extra rules through various options within {{Nixos:option|networking.firewall}}. If possible, try to stick to these when customizing generated rules, as trying to dynamically delete and overwrite them at activation time can be ''very'' error-prone.

For instance, to expose a TCP port only to your local IPv4 and IPv6 subnets, add the following to your configuration:

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

networking.firewall.extraInputRules = ''

ip saddr 130.236.254.0/24 tcp dport 6600 accept

ip6 saddr 2001:6b0:17:f0a0::/64 tcp dport 6600 accept

'';

</nowiki>}}

This will add the two specified rules to the <code>input-allow</code> chain in the <code>nixos-fw</code> table. You should, of course, replace the port and subnets with your own.

== Tips and tricks ==

=== Log all dropped/rejected network packets ===

On a vanilla NixOS install, the [https://search.nixos.org/options?show=networking.firewall.logRefusedPackets&query=networking.firewall.logRefusedPackets <code>networking.firewall.logRefusedPackets = true;</code>] stanza lets you see lines in syslog with the prefix <code>refused packet:</code>, once you <code>sudo nixos-rebuild switch</code> and then <code>sudo dmesg --follow --human | grep 'refused packet:'</code>.

=== Temporary firewall rules ===

@@ Line 43: / Line 43: @@
 In this case, ports <code>80</code> and <code>443</code> will be allowed for the interface <code>eth0</code>.
+=== Advanced Configuration ===
+Some users may want more fine-grained control of how their firewall is configured. This can, when using nftables, be achieved by defining custom tables and chains through {{Nixos:option|networking.nftables.tables}}.
+It is important to say that a <code>nixos-fw</code> table with multiple chains will be generated by setting {{Nixos:option|networking.nftables.enable}} to true. These chains can be modified with extra rules through various options within {{Nixos:option|networking.firewall}}. If possible, try to stick to these when customizing generated rules, as trying to dynamically delete and overwrite them at activation time can be ''very'' error-prone.
+For instance, to expose a TCP port only to your local IPv4 and IPv6 subnets, add the following to your configuration:
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+    networking.firewall.extraInputRules = ''
+      ip saddr 130.236.254.0/24 tcp dport 6600 accept
+      ip6 saddr 2001:6b0:17:f0a0::/64 tcp dport 6600 accept
+    '';
+</nowiki>}}
+This will add the two specified rules to the <code>input-allow</code> chain in the <code>nixos-fw</code> table. You should, of course, replace the port and subnets with your own.
 == Tips and tricks ==
+=== Log all dropped/rejected network packets ===
+On a vanilla NixOS install, the [https://search.nixos.org/options?show=networking.firewall.logRefusedPackets&query=networking.firewall.logRefusedPackets <code>networking.firewall.logRefusedPackets = true;</code>] stanza lets you see lines in syslog with the prefix <code>refused packet:</code>, once you <code>sudo nixos-rebuild switch</code> and then <code>sudo dmesg --follow --human | grep 'refused packet:'</code>.
 === Temporary firewall rules ===