Firewall

From NixOS Wiki
Revision as of 14:26, 31 January 2023 by imported>N8henrie (Incorrectly says it is based on ntfables, which is not true by default.)

NixOS provides an interface to configure the firewall through the option networking.firewall.

Whether the firewall is based on Nftables or iptables depends on the value of config.networking.nftables.enable.

Enable

To enable the firewall, simply put following code into your system configuration 

/etc/nixos/configuration.nix

networking.firewall.enable = true;

This will make all local ports and services unreachable from external connections.

Configuration

To allow specific TCP/UDP ports or port ranges on all interfaces, you can use following syntax: 

networking.firewall = {
  enable = true;
  allowedTCPPorts = [ 80 443 ];
  allowedUDPPortRanges = [
    { from = 4000; to = 4007; }
    { from = 8000; to = 8010; }
  ];
};
Note: Many services also provide an option to open required firewall ports automatically. For example, the media server Jellyfin offers the option services.jellyfin.openFirewall = true; which will open required TCP ports.

Interface specific firewall rules can be applied like this 

networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ];

In this case, ports 80 and 443 will be allowed for the interface eth0.

Warning

Firewall rules may be overwritten by docker, as per https://github.com/NixOS/nixpkgs/issues/111852

Retrieved from "https://wiki.nixos.org/w/index.php?title=Firewall&oldid=9853"