Firewall: Difference between revisions

(10 intermediate revisions by 9 users not shown)

Line 1:

NixOS ~~provides~~ an ~~interface to configure the firewall through the option <code>networking.firewall</code>.~~

[[NixOS]] includes an integrated firewall based on [https://www.netfilter.org/ iptables]/[https://www.nftables.org/ nftables], which can be configured declaratively through the [[NixOS system configuration]]. By default, the firewall is enabled and restricts incoming network connections, allowing users to explicitly define which ports and services should be accessible.

~~Whether the~~ firewall is based on [https://www.~~nftables~~.org/ ~~Nftables~~] ~~or iptables depends on the value of~~ [https://~~github.com/NixOS/nixpkgs/blob/4bff9cd9f809b8f510a21be0c845bf37e6af148c/nixos/modules/services/networking/firewall.nix#L73 <code>config.networking~~.nftables.~~enable<~~/~~code>~~].

== Enable ==

To ~~enable~~ the ~~firewall, simply put~~ following ~~code into~~ your system configuration

The firewall is enabled by default on NixOS. To explicitly ensure it is enabled, add the following option to your system configuration:

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

networking.firewall.enable = true;

</nowiki>}}

~~This will make~~ all local ports and services unreachable from external connections.

With the firewall enabled, all local ports and services will be unreachable from external connections unless explicitly allowed.

To use the newer nftables backend instead of iptables, set the option {{nixos:option|networking.nftables.enable}} to true.

== Configuration ==

To allow specific TCP/UDP ports or port ranges on all interfaces, ~~you can~~ use following syntax:

To allow specific TCP/UDP ports or port ranges on all interfaces, use following syntax:

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

networking.firewall = {

enable = true;

allowedTCPPorts = [ 80 443 ];

allowedUDPPortRanges = [

{ from = 4000; to = 4007; }

{ from = 8000; to = 8010; }

];

};

</nowiki>}}

Refer to {{nixos:option|networking.firewall}} for more firewall module options.

<~~syntaxhighlight lang="nix~~>

{{note|Many services also provide an option to open the required firewall ports automatically. For example, the media server Jellyfin offers the option <code><nowiki>services.jellyfin.openFirewall = true;</nowiki></code> which will open the required TCP ports.}}

~~networking~~.~~firewall = {~~

~~enable~~ = true;

~~allowedTCPPorts = [ 80 443 ];~~

~~allowedUDPPortRanges = [~~

~~{ from = 4000; to = 4007; }~~

~~{ from = 8000; to = 8010; }~~

];

};

</~~syntaxhighlight~~>

{{~~note~~|~~Many services also provide an option to open required firewall ports automatically. For example~~, ~~the media server Jellyfin offers the option <code><nowiki>services~~.~~jellyfin.openFirewall = true;<~~/~~nowiki><~~/~~code> which will open required TCP ports.~~}}

{{warning|Firewall rules may be overwritten by [[Docker]], as per https://github.com/NixOS/nixpkgs/issues/111852}}

Interface specific ~~firewall~~ rules ~~can be applied like this~~

=== Interface specific rules ===

<~~syntaxhighlight lang="nix~~>

It is possible to define firewall rules for specific network interfaces. This can be useful for allowing different ports or services on different network connections. Add the following to your system configuration:

networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ];

</~~syntaxhighlight~~>

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ];

</nowiki>}}

In this case, ports <code>80</code> and <code>443</code> will be allowed for the interface <code>eth0</code>.

== ~~Warning~~ ==

=== Advanced Configuration ===

Some users may want more fine-grained control of how their firewall is configured. This can, when using nftables, be achieved by defining custom tables and chains through {{Nixos:option|networking.nftables.tables}}.

It is important to say that a <code>nixos-fw</code> table with multiple chains will be generated by setting {{Nixos:option|networking.nftables.enable}} to true. These chains can be modified with extra rules through various options within {{Nixos:option|networking.firewall}}. If possible, try to stick to these when customizing generated rules, as trying to dynamically delete and overwrite them at activation time can be ''very'' error-prone.

For instance, to expose a TCP port only to your local IPv4 and IPv6 subnets, add the following to your configuration:

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

networking.firewall.extraInputRules = ''

ip saddr 130.236.254.0/24 tcp dport 6600 accept

ip6 saddr 2001:6b0:17:f0a0::/64 tcp dport 6600 accept

'';

</nowiki>}}

This will add the two specified rules to the <code>input-allow</code> chain in the <code>nixos-fw</code> table. You should, of course, replace the port and subnets with your own.

== Tips and tricks ==

=== Log all dropped/rejected network packets ===

On a vanilla NixOS install, the [https://search.nixos.org/options?show=networking.firewall.logRefusedPackets&query=networking.firewall.logRefusedPackets <code>networking.firewall.logRefusedPackets = true;</code>] stanza lets you see lines in syslog with the prefix <code>refused packet:</code>, once you <code>sudo nixos-rebuild switch</code> and then <code>sudo dmesg --follow --human | grep 'refused packet:'</code>.

=== Temporary firewall rules ===

If using iptables, for temporary changes to the firewall rules, you can install the [https://search.nixos.org/packages?query=nixos-firewall-tool <code>nixos-firewall-tool</code>] package, which is a [https://github.com/NixOS/nixpkgs/blob/7eee17a8a5868ecf596bbb8c8beb527253ea8f4d/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh thin wrapper] around <code>iptables</code>.

~~Firewall rules may be overwritten by docker, as per https~~:~~//github.com/NixOS/nixpkgs/issues/111852~~

[[Category:Server]]

[[Category:Applications]]

@@ Line 1: / Line 1: @@
-NixOS provides an interface to configure the firewall through the option <code>networking.firewall</code>.
+[[NixOS]] includes an integrated firewall based on [https://www.netfilter.org/ iptables]/[https://www.nftables.org/ nftables], which can be configured declaratively through the [[NixOS system configuration]]. By default, the firewall is enabled and restricts incoming network connections, allowing users to explicitly define which ports and services should be accessible.
-Whether the firewall is based on [https://www.nftables.org/ Nftables] or iptables depends on the value of [https://github.com/NixOS/nixpkgs/blob/4bff9cd9f809b8f510a21be0c845bf37e6af148c/nixos/modules/services/networking/firewall.nix#L73  <code>config.networking.nftables.enable</code>].
 == Enable ==
-To enable the firewall, simply put following code into your system configuration
+The firewall is enabled by default on NixOS. To explicitly ensure it is enabled, add the following option to your system configuration:
 {{file|/etc/nixos/configuration.nix|nix|<nowiki>
-networking.firewall.enable = true;
+  networking.firewall.enable = true;
 </nowiki>}}
-This will make all local ports and services unreachable from external connections.
+With the firewall enabled, all local ports and services will be unreachable from external connections unless explicitly allowed.
+To use the newer nftables backend instead of iptables, set the option {{nixos:option|networking.nftables.enable}} to true.
 == Configuration ==
-To allow specific TCP/UDP ports or port ranges on all interfaces, you can use following syntax:
+To allow specific TCP/UDP ports or port ranges on all interfaces, use following syntax:
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 80 443 ];
+    allowedUDPPortRanges = [
+      { from = 4000; to = 4007; }
+      { from = 8000; to = 8010; }
+    ];
+  };
+</nowiki>}}
+Refer to {{nixos:option|networking.firewall}} for more firewall module options.
-<syntaxhighlight lang="nix>
+{{note|Many services also provide an option to open the required firewall ports automatically. For example, the media server Jellyfin offers the option <code><nowiki>services.jellyfin.openFirewall = true;</nowiki></code> which will open the required TCP ports.}}
-networking.firewall = {
-  enable = true;
-  allowedTCPPorts = [ 80 443 ];
-  allowedUDPPortRanges = [
-    { from = 4000; to = 4007; }
-    { from = 8000; to = 8010; }
-  ];
-};
-</syntaxhighlight>
-{{note|Many services also provide an option to open required firewall ports automatically. For example, the media server Jellyfin offers the option <code><nowiki>services.jellyfin.openFirewall = true;</nowiki></code> which will open required TCP ports.}}
+{{warning|Firewall rules may be overwritten by [[Docker]], as per https://github.com/NixOS/nixpkgs/issues/111852}}
-Interface specific firewall rules can be applied like this
+=== Interface specific rules ===
-<syntaxhighlight lang="nix>
+It is possible to define firewall rules for specific network interfaces. This can be useful for allowing different ports or services on different network connections. Add the following to your system configuration:
-networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ];
-</syntaxhighlight>
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+  networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ];
+</nowiki>}}
 In this case, ports <code>80</code> and <code>443</code> will be allowed for the interface <code>eth0</code>.
-== Warning ==
+=== Advanced Configuration ===
+Some users may want more fine-grained control of how their firewall is configured. This can, when using nftables, be achieved by defining custom tables and chains through {{Nixos:option|networking.nftables.tables}}.
+It is important to say that a <code>nixos-fw</code> table with multiple chains will be generated by setting {{Nixos:option|networking.nftables.enable}} to true. These chains can be modified with extra rules through various options within {{Nixos:option|networking.firewall}}. If possible, try to stick to these when customizing generated rules, as trying to dynamically delete and overwrite them at activation time can be ''very'' error-prone.
+For instance, to expose a TCP port only to your local IPv4 and IPv6 subnets, add the following to your configuration:
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+    networking.firewall.extraInputRules = ''
+      ip saddr 130.236.254.0/24 tcp dport 6600 accept
+      ip6 saddr 2001:6b0:17:f0a0::/64 tcp dport 6600 accept
+    '';
+</nowiki>}}
+This will add the two specified rules to the <code>input-allow</code> chain in the <code>nixos-fw</code> table. You should, of course, replace the port and subnets with your own.
+== Tips and tricks ==
+=== Log all dropped/rejected network packets ===
+On a vanilla NixOS install, the [https://search.nixos.org/options?show=networking.firewall.logRefusedPackets&query=networking.firewall.logRefusedPackets <code>networking.firewall.logRefusedPackets = true;</code>] stanza lets you see lines in syslog with the prefix <code>refused packet:</code>, once you <code>sudo nixos-rebuild switch</code> and then <code>sudo dmesg --follow --human | grep 'refused packet:'</code>.
+=== Temporary firewall rules ===
+If using iptables, for temporary changes to the firewall rules, you can install the [https://search.nixos.org/packages?query=nixos-firewall-tool <code>nixos-firewall-tool</code>] package, which is a [https://github.com/NixOS/nixpkgs/blob/7eee17a8a5868ecf596bbb8c8beb527253ea8f4d/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh thin wrapper] around <code>iptables</code>.
-Firewall rules may be overwritten by docker, as per https://github.com/NixOS/nixpkgs/issues/111852
+[[Category:Server]]
+[[Category:Applications]]