Firewall: Difference between revisions
imported>Onny Initial page for configuring the firewall |
|||
(7 intermediate revisions by 6 users not shown) | |||
Line 1: | Line 1: | ||
NixOS provides an interface to configure the [https://www.nftables.org/ | NixOS provides an interface to configure the firewall through the option <code>networking.firewall</code>. | ||
The default firewall uses [https://www.netfilter.org/ iptables]. To use the newer [https://www.nftables.org/ nftables] instead, additionally set <code>networking.nftables.enable = true;</code> | |||
== Enable == | == Enable == | ||
To enable the | The firewall is enabled when not set. To explicitly enable it add the following into your system configuration: | ||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | {{file|/etc/nixos/configuration.nix|nix|<nowiki> | ||
Line 13: | Line 15: | ||
== Configuration == | == Configuration == | ||
To allow specific TCP/UDP ports or port ranges on all interfaces, | To allow specific TCP/UDP ports or port ranges on all interfaces, use following syntax: | ||
<syntaxhighlight lang="nix> | <syntaxhighlight lang="nix> | ||
Line 26: | Line 28: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
{{note|Many services also provide an option to open the required firewall ports automatically. For example, the media server Jellyfin offers the option <code><nowiki>services.jellyfin.openFirewall = true;</nowiki></code> which will open the required TCP ports.}} | |||
Interface specific firewall rules can be applied like this | Interface-specific firewall rules can be applied like this: | ||
<syntaxhighlight lang="nix> | <syntaxhighlight lang="nix> | ||
Line 34: | Line 37: | ||
In this case, ports <code>80</code> and <code>443</code> will be allowed for the interface <code>eth0</code>. | In this case, ports <code>80</code> and <code>443</code> will be allowed for the interface <code>eth0</code>. | ||
== Warning == | |||
Firewall rules may be overwritten by Docker, as per https://github.com/NixOS/nixpkgs/issues/111852 | |||
[[Category:Server]] | |||
[[Category:Applications]] |
Latest revision as of 17:43, 19 April 2024
NixOS provides an interface to configure the firewall through the option networking.firewall
.
The default firewall uses iptables. To use the newer nftables instead, additionally set networking.nftables.enable = true;
Enable
The firewall is enabled when not set. To explicitly enable it add the following into your system configuration:
/etc/nixos/configuration.nix
networking.firewall.enable = true;
This will make all local ports and services unreachable from external connections.
Configuration
To allow specific TCP/UDP ports or port ranges on all interfaces, use following syntax:
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
allowedUDPPortRanges = [
{ from = 4000; to = 4007; }
{ from = 8000; to = 8010; }
];
};
Interface-specific firewall rules can be applied like this:
networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ];
In this case, ports 80
and 443
will be allowed for the interface eth0
.
Warning
Firewall rules may be overwritten by Docker, as per https://github.com/NixOS/nixpkgs/issues/111852