Firewall: Difference between revisions

From NixOS Wiki
← Older edit
VisualWikitext
Ahi6 (talk | contribs)
1 edit
Mention nixos-firewall-tool
→‎Configuration: clarify nixos-firewall-tool is iptables only
Tags: Mobile edit Mobile web edit
 
Line 38: Line 38:
In this case, ports <code>80</code> and <code>443</code> will be allowed for the interface <code>eth0</code>.
In this case, ports <code>80</code> and <code>443</code> will be allowed for the interface <code>eth0</code>.


For temporary changes to the firewall rules, you can use the <code>nixos-firewall-tool</code> command.
If using iptables, for temporary changes to the firewall rules, you can install the [https://search.nixos.org/packages?channel=24.11&from=0&size=50&sort=relevance&type=packages&query=nixos-firewall-tool <code>nixos-firewall-tool</code>] package, which is a [https://github.com/NixOS/nixpkgs/blob/7eee17a8a5868ecf596bbb8c8beb527253ea8f4d/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh thin wrapper] around <code>iptables</code>.


== Warning ==
== Warning ==

Latest revision as of 13:00, 1 December 2024

NixOS provides an interface to configure the firewall through the option networking.firewall.

The default firewall uses iptables. To use the newer nftables instead, additionally set networking.nftables.enable = true;

Enable

The firewall is enabled when not set. To explicitly enable it add the following into your system configuration: 

/etc/nixos/configuration.nix

networking.firewall.enable = true;

This will make all local ports and services unreachable from external connections.

Configuration

To allow specific TCP/UDP ports or port ranges on all interfaces, use following syntax: 

networking.firewall = {
  enable = true;
  allowedTCPPorts = [ 80 443 ];
  allowedUDPPortRanges = [
    { from = 4000; to = 4007; }
    { from = 8000; to = 8010; }
  ];
};
Note: Many services also provide an option to open the required firewall ports automatically. For example, the media server Jellyfin offers the option services.jellyfin.openFirewall = true; which will open the required TCP ports.

Interface-specific firewall rules can be applied like this: 

networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ];

In this case, ports 80 and 443 will be allowed for the interface eth0.

If using iptables, for temporary changes to the firewall rules, you can install the nixos-firewall-tool package, which is a thin wrapper around iptables.

Warning

Firewall rules may be overwritten by Docker, as per https://github.com/NixOS/nixpkgs/issues/111852

Retrieved from "https://wiki.nixos.org/w/index.php?title=Firewall&oldid=18955"