Firewall: Difference between revisions

(2 intermediate revisions by one other user not shown)

Line 43:

In this case, ports <code>80</code> and <code>443</code> will be allowed for the interface <code>eth0</code>.

=== Advanced Configuration ===

Some users may want more fine-grained control of how their firewall is configured. This can, when using nftables, be achieved by defining custom tables and chains through {{Nixos:option|networking.nftables.tables}}.

It is important to say that a <code>nixos-fw</code> table with multiple chains will be generated by setting {{Nixos:option|networking.nftables.enable}} to true. These chains can be modified with extra rules through various options within {{Nixos:option|networking.firewall}}. If possible, try to stick to these when customizing generated rules, as trying to dynamically delete and overwrite them at activation time can be ''very'' error-prone.

For instance, to expose a TCP port only to your local IPv4 and IPv6 subnets, add the following to your configuration:

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

networking.firewall.extraInputRules = ''

ip saddr 130.236.254.0/24 tcp dport 6600 accept

ip6 saddr 2001:6b0:17:f0a0::/64 tcp dport 6600 accept

'';

</nowiki>}}

This will add the two specified rules to the <code>input-allow</code> chain in the <code>nixos-fw</code> table. You should, of course, replace the port and subnets with your own.

== Tips and tricks ==

Line 52:

Line 68:

=== Temporary firewall rules ===

~~If using iptables, for~~ temporary changes to the firewall rules, you can install the [https://search.nixos.org/packages?query=nixos-firewall-tool <code>nixos-firewall-tool</code>] package, which is a [https://github.com/NixOS/nixpkgs/blob/7eee17a8a5868ecf596bbb8c8beb527253ea8f4d/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh thin wrapper] around <code>iptables</code>.

For temporary changes to the firewall rules, you can install the [https://search.nixos.org/packages?query=nixos-firewall-tool <code>nixos-firewall-tool</code>] package, which is a [https://github.com/NixOS/nixpkgs/blob/7eee17a8a5868ecf596bbb8c8beb527253ea8f4d/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh thin wrapper] around <code>iptables</code> and <code>nftables</code>.

[[Category:Server]]

[[Category:Applications]]

@@ Line 43: / Line 43: @@
 In this case, ports <code>80</code> and <code>443</code> will be allowed for the interface <code>eth0</code>.
+=== Advanced Configuration ===
+Some users may want more fine-grained control of how their firewall is configured. This can, when using nftables, be achieved by defining custom tables and chains through {{Nixos:option|networking.nftables.tables}}.
+It is important to say that a <code>nixos-fw</code> table with multiple chains will be generated by setting {{Nixos:option|networking.nftables.enable}} to true. These chains can be modified with extra rules through various options within {{Nixos:option|networking.firewall}}. If possible, try to stick to these when customizing generated rules, as trying to dynamically delete and overwrite them at activation time can be ''very'' error-prone.
+For instance, to expose a TCP port only to your local IPv4 and IPv6 subnets, add the following to your configuration:
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+    networking.firewall.extraInputRules = ''
+      ip saddr 130.236.254.0/24 tcp dport 6600 accept
+      ip6 saddr 2001:6b0:17:f0a0::/64 tcp dport 6600 accept
+    '';
+</nowiki>}}
+This will add the two specified rules to the <code>input-allow</code> chain in the <code>nixos-fw</code> table. You should, of course, replace the port and subnets with your own.
 == Tips and tricks ==
@@ Line 52: / Line 68: @@
 === Temporary firewall rules ===
-If using iptables, for temporary changes to the firewall rules, you can install the [https://search.nixos.org/packages?query=nixos-firewall-tool <code>nixos-firewall-tool</code>] package, which is a [https://github.com/NixOS/nixpkgs/blob/7eee17a8a5868ecf596bbb8c8beb527253ea8f4d/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh thin wrapper] around <code>iptables</code>.
+For temporary changes to the firewall rules, you can install the [https://search.nixos.org/packages?query=nixos-firewall-tool <code>nixos-firewall-tool</code>] package, which is a [https://github.com/NixOS/nixpkgs/blob/7eee17a8a5868ecf596bbb8c8beb527253ea8f4d/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh thin wrapper] around <code>iptables</code> and <code>nftables</code>.
 [[Category:Server]]
 [[Category:Applications]]