Firewall: Difference between revisions
imported>CryoMyst No edit summary |
imported>Bowmanjd m So minor, but I was confused if networking.nftables _replaced_ or _supplemented_ networking.firewall, and I noticed example configs online that suggested others may be confused as well. |
||
| Line 1: | Line 1: | ||
NixOS provides an interface to configure the firewall through the option <code>networking.firewall</code>. | NixOS provides an interface to configure the firewall through the option <code>networking.firewall</code>. | ||
The default firewall uses [https://www.netfilter.org/ iptables]. To use the newer [https://www.nftables.org/ nftables] instead, set <code>networking.nftables.enable = true;</code> | The default firewall uses [https://www.netfilter.org/ iptables]. To use the newer [https://www.nftables.org/ nftables] instead, additionally set <code>networking.nftables.enable = true;</code> | ||
== Enable == | == Enable == | ||
Revision as of 21:50, 10 December 2023
NixOS provides an interface to configure the firewall through the option networking.firewall.
The default firewall uses iptables. To use the newer nftables instead, additionally set networking.nftables.enable = true;
Enable
The firewall is enabled when not set. To explicitly enable it add the following into your system configuration:
/etc/nixos/configuration.nix
networking.firewall.enable = true;
This will make all local ports and services unreachable from external connections.
Configuration
To allow specific TCP/UDP ports or port ranges on all interfaces, use following syntax:
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
allowedUDPPortRanges = [
{ from = 4000; to = 4007; }
{ from = 8000; to = 8010; }
];
};
Interface-specific firewall rules can be applied like this:
networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ];
In this case, ports 80 and 443 will be allowed for the interface eth0.
Warning
Firewall rules may be overwritten by Docker, as per https://github.com/NixOS/nixpkgs/issues/111852