Firewall: Difference between revisions

From NixOS Wiki
imported>Onny
Initial page for configuring the firewall
 
Klinger (talk | contribs)
 
(7 intermediate revisions by 6 users not shown)
Line 1: Line 1:
NixOS provides an interface to configure the [https://www.nftables.org/ Nftables] based firewall through the option <code>networking.firewall</code>.
NixOS provides an interface to configure the firewall through the option <code>networking.firewall</code>.
 
The default firewall uses [https://www.netfilter.org/ iptables]. To use the newer [https://www.nftables.org/ nftables] instead, additionally set <code>networking.nftables.enable = true;</code>


== Enable ==
== Enable ==


To enable the firewall, simply put following code into your system configuration
The firewall is enabled when not set. To explicitly enable it add the following into your system configuration:


{{file|/etc/nixos/configuration.nix|nix|<nowiki>
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
Line 13: Line 15:
== Configuration ==
== Configuration ==


To allow specific TCP/UDP ports or port ranges on all interfaces, you can use following syntax:
To allow specific TCP/UDP ports or port ranges on all interfaces, use following syntax:


<syntaxhighlight lang="nix>
<syntaxhighlight lang="nix>
Line 26: Line 28:
</syntaxhighlight>
</syntaxhighlight>


{{note|Many services also provide an option to open the required firewall ports automatically. For example, the media server Jellyfin offers the option <code><nowiki>services.jellyfin.openFirewall = true;</nowiki></code> which will open the required TCP ports.}}


Interface specific firewall rules can be applied like this
Interface-specific firewall rules can be applied like this:


<syntaxhighlight lang="nix>
<syntaxhighlight lang="nix>
Line 34: Line 37:


In this case, ports <code>80</code> and <code>443</code> will be allowed for the interface <code>eth0</code>.
In this case, ports <code>80</code> and <code>443</code> will be allowed for the interface <code>eth0</code>.
== Warning ==
Firewall rules may be overwritten by Docker, as per https://github.com/NixOS/nixpkgs/issues/111852
[[Category:Server]]
[[Category:Applications]]

Latest revision as of 17:43, 19 April 2024

NixOS provides an interface to configure the firewall through the option networking.firewall.

The default firewall uses iptables. To use the newer nftables instead, additionally set networking.nftables.enable = true;

Enable

The firewall is enabled when not set. To explicitly enable it add the following into your system configuration:

/etc/nixos/configuration.nix
networking.firewall.enable = true;

This will make all local ports and services unreachable from external connections.

Configuration

To allow specific TCP/UDP ports or port ranges on all interfaces, use following syntax:

networking.firewall = {
  enable = true;
  allowedTCPPorts = [ 80 443 ];
  allowedUDPPortRanges = [
    { from = 4000; to = 4007; }
    { from = 8000; to = 8010; }
  ];
};
Note: Many services also provide an option to open the required firewall ports automatically. For example, the media server Jellyfin offers the option services.jellyfin.openFirewall = true; which will open the required TCP ports.

Interface-specific firewall rules can be applied like this:

networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ];

In this case, ports 80 and 443 will be allowed for the interface eth0.

Warning

Firewall rules may be overwritten by Docker, as per https://github.com/NixOS/nixpkgs/issues/111852