Firewall: Difference between revisions
imported>Onny Initial page for configuring the firewall |
→Configuration: clarify nixos-firewall-tool is iptables only Tags: Mobile edit Mobile web edit |
||
| (9 intermediate revisions by 8 users not shown) | |||
| Line 1: | Line 1: | ||
NixOS provides an interface to configure the [https://www.nftables.org/ | NixOS provides an interface to configure the firewall through the option <code>networking.firewall</code>. | ||
The default firewall uses [https://www.netfilter.org/ iptables]. To use the newer [https://www.nftables.org/ nftables] instead, additionally set <code>networking.nftables.enable = true;</code> | |||
== Enable == | == Enable == | ||
To enable the | The firewall is enabled when not set. To explicitly enable it add the following into your system configuration: | ||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | {{file|/etc/nixos/configuration.nix|nix|<nowiki> | ||
| Line 13: | Line 15: | ||
== Configuration == | == Configuration == | ||
To allow specific TCP/UDP ports or port ranges on all interfaces, | To allow specific TCP/UDP ports or port ranges on all interfaces, use following syntax: | ||
<syntaxhighlight lang="nix> | <syntaxhighlight lang="nix> | ||
| Line 26: | Line 28: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
{{note|Many services also provide an option to open the required firewall ports automatically. For example, the media server Jellyfin offers the option <code><nowiki>services.jellyfin.openFirewall = true;</nowiki></code> which will open the required TCP ports.}} | |||
Interface specific firewall rules can be applied like this | Interface-specific firewall rules can be applied like this: | ||
<syntaxhighlight lang="nix> | <syntaxhighlight lang="nix> | ||
| Line 34: | Line 37: | ||
In this case, ports <code>80</code> and <code>443</code> will be allowed for the interface <code>eth0</code>. | In this case, ports <code>80</code> and <code>443</code> will be allowed for the interface <code>eth0</code>. | ||
If using iptables, for temporary changes to the firewall rules, you can install the [https://search.nixos.org/packages?channel=24.11&from=0&size=50&sort=relevance&type=packages&query=nixos-firewall-tool <code>nixos-firewall-tool</code>] package, which is a [https://github.com/NixOS/nixpkgs/blob/7eee17a8a5868ecf596bbb8c8beb527253ea8f4d/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh thin wrapper] around <code>iptables</code>. | |||
== Warning == | |||
Firewall rules may be overwritten by Docker, as per https://github.com/NixOS/nixpkgs/issues/111852 | |||
[[Category:Server]] | |||
[[Category:Applications]] | |||
Latest revision as of 13:00, 1 December 2024
NixOS provides an interface to configure the firewall through the option networking.firewall.
The default firewall uses iptables. To use the newer nftables instead, additionally set networking.nftables.enable = true;
Enable
The firewall is enabled when not set. To explicitly enable it add the following into your system configuration:
/etc/nixos/configuration.nix
networking.firewall.enable = true;
This will make all local ports and services unreachable from external connections.
Configuration
To allow specific TCP/UDP ports or port ranges on all interfaces, use following syntax:
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
allowedUDPPortRanges = [
{ from = 4000; to = 4007; }
{ from = 8000; to = 8010; }
];
};
Interface-specific firewall rules can be applied like this:
networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ];
In this case, ports 80 and 443 will be allowed for the interface eth0.
If using iptables, for temporary changes to the firewall rules, you can install the nixos-firewall-tool package, which is a thin wrapper around iptables.
Warning
Firewall rules may be overwritten by Docker, as per https://github.com/NixOS/nixpkgs/issues/111852