Firewall: Difference between revisions

Revision as of 14:26, 31 January 2023

NixOS provides an interface to configure the firewall through the option networking.firewall.

Whether the firewall is based on Nftables or iptables depends on the value of config.networking.nftables.enable.

Enable

To enable the firewall, simply put following code into your system configuration

/etc/nixos/configuration.nix

networking.firewall.enable = true;

This will make all local ports and services unreachable from external connections.

Configuration

To allow specific TCP/UDP ports or port ranges on all interfaces, you can use following syntax:

networking.firewall = {
  enable = true;
  allowedTCPPorts = [ 80 443 ];
  allowedUDPPortRanges = [
    { from = 4000; to = 4007; }
    { from = 8000; to = 8010; }
  ];
};

Note: Many services also provide an option to open required firewall ports automatically. For example, the media server Jellyfin offers the option services.jellyfin.openFirewall = true; which will open required TCP ports.

Interface specific firewall rules can be applied like this

networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ];

In this case, ports 80 and 443 will be allowed for the interface eth0.

Warning

Firewall rules may be overwritten by docker, as per https://github.com/NixOS/nixpkgs/issues/111852

@@ Line 1: / Line 1: @@
-NixOS provides an interface to configure the [https://www.nftables.org/ Nftables] based firewall through the option <code>networking.firewall</code>.
+NixOS provides an interface to configure the firewall through the option <code>networking.firewall</code>.
+Whether the firewall is based on [https://www.nftables.org/ Nftables] or iptables depends on the value of [https://github.com/NixOS/nixpkgs/blob/4bff9cd9f809b8f510a21be0c845bf37e6af148c/nixos/modules/services/networking/firewall.nix#L73  <code>config.networking.nftables.enable</code>].
 == Enable ==