Firewall: Difference between revisions

From NixOS Wiki
imported>N8henrie
m Incorrectly says it is based on ntfables, which is not true by default.
imported>Skylark
State that iptables is the default
Line 1: Line 1:
NixOS provides an interface to configure the firewall through the option <code>networking.firewall</code>.
NixOS provides an interface to configure the firewall through the option <code>networking.firewall</code>.


Whether the firewall is based on [https://www.nftables.org/ Nftables] or iptables depends on the value of [https://github.com/NixOS/nixpkgs/blob/4bff9cd9f809b8f510a21be0c845bf37e6af148c/nixos/modules/services/networking/firewall.nix#L73  <code>config.networking.nftables.enable</code>].
The default firewall uses [https://www.netfilter.org/ iptables]. To use the newer [https://www.nftables.org/ nftables] instead, set <code>networking.nftables.enable = true;</code>


== Enable ==
== Enable ==


To enable the firewall, simply put following code into your system configuration
To enable the firewall, add the following into your system configuration:


{{file|/etc/nixos/configuration.nix|nix|<nowiki>
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
Line 15: Line 15:
== Configuration ==
== Configuration ==


To allow specific TCP/UDP ports or port ranges on all interfaces, you can use following syntax:
To allow specific TCP/UDP ports or port ranges on all interfaces, use following syntax:


<syntaxhighlight lang="nix>
<syntaxhighlight lang="nix>
Line 28: Line 28:
</syntaxhighlight>
</syntaxhighlight>


{{note|Many services also provide an option to open required firewall ports automatically. For example, the media server Jellyfin offers the option <code><nowiki>services.jellyfin.openFirewall = true;</nowiki></code> which will open required TCP ports.}}
{{note|Many services also provide an option to open the required firewall ports automatically. For example, the media server Jellyfin offers the option <code><nowiki>services.jellyfin.openFirewall = true;</nowiki></code> which will open the required TCP ports.}}


Interface specific firewall rules can be applied like this
Interface-specific firewall rules can be applied like this:


<syntaxhighlight lang="nix>
<syntaxhighlight lang="nix>
Line 40: Line 40:
== Warning ==
== Warning ==


Firewall rules may be overwritten by docker, as per https://github.com/NixOS/nixpkgs/issues/111852
Firewall rules may be overwritten by Docker, as per https://github.com/NixOS/nixpkgs/issues/111852

Revision as of 08:45, 19 October 2023

NixOS provides an interface to configure the firewall through the option networking.firewall.

The default firewall uses iptables. To use the newer nftables instead, set networking.nftables.enable = true;

Enable

To enable the firewall, add the following into your system configuration:

/etc/nixos/configuration.nix
networking.firewall.enable = true;

This will make all local ports and services unreachable from external connections.

Configuration

To allow specific TCP/UDP ports or port ranges on all interfaces, use following syntax:

networking.firewall = {
  enable = true;
  allowedTCPPorts = [ 80 443 ];
  allowedUDPPortRanges = [
    { from = 4000; to = 4007; }
    { from = 8000; to = 8010; }
  ];
};
Note: Many services also provide an option to open the required firewall ports automatically. For example, the media server Jellyfin offers the option services.jellyfin.openFirewall = true; which will open the required TCP ports.

Interface-specific firewall rules can be applied like this:

networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ];

In this case, ports 80 and 443 will be allowed for the interface eth0.

Warning

Firewall rules may be overwritten by Docker, as per https://github.com/NixOS/nixpkgs/issues/111852