Firewall: Difference between revisions
imported>Rascal999 mNo edit summary |
imported>N8henrie m Incorrectly says it is based on ntfables, which is not true by default. |
||
| Line 1: | Line 1: | ||
NixOS provides an interface to configure the [https://www.nftables.org/ Nftables] | NixOS provides an interface to configure the firewall through the option <code>networking.firewall</code>. | ||
Whether the firewall is based on [https://www.nftables.org/ Nftables] or iptables depends on the value of [https://github.com/NixOS/nixpkgs/blob/4bff9cd9f809b8f510a21be0c845bf37e6af148c/nixos/modules/services/networking/firewall.nix#L73 <code>config.networking.nftables.enable</code>]. | |||
== Enable == | == Enable == | ||
Revision as of 14:26, 31 January 2023
NixOS provides an interface to configure the firewall through the option networking.firewall.
Whether the firewall is based on Nftables or iptables depends on the value of config.networking.nftables.enable.
Enable
To enable the firewall, simply put following code into your system configuration
❄︎ /etc/nixos/configuration.nix
networking.firewall.enable = true;
This will make all local ports and services unreachable from external connections.
Configuration
To allow specific TCP/UDP ports or port ranges on all interfaces, you can use following syntax:
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
allowedUDPPortRanges = [
{ from = 4000; to = 4007; }
{ from = 8000; to = 8010; }
];
};
Note: Many services also provide an option to open required firewall ports automatically. For example, the media server Jellyfin offers the option
services.jellyfin.openFirewall = true; which will open required TCP ports.Interface specific firewall rules can be applied like this
networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ];
In this case, ports 80 and 443 will be allowed for the interface eth0.
Warning
Firewall rules may be overwritten by docker, as per https://github.com/NixOS/nixpkgs/issues/111852