OpenSnitch
Opensnitch is a configurable inbound and outbound firewall with support for configurable rules by application, port, host, etc.
Installation
Add following line to your system configuration to install and enable OpenSnitch
services.opensnitch.enable = true;
OpenSnitch will start blocking connctions as soon the client application opensnitch-ui
is connected. For Home-Manager users, you can automatically start it in the background with the following configuration
home-manager.users.myuser = {
services.opensnitch-ui.enable = true;
};
Using this minimal and default configuration, an application which tries to connect to the outside network will be blocked. You'll see a popup window asking to grant or deny connectivity for the specific application.
Configuration
You can preconfigure which connections are allowed or blocked by default. Following rules will allow internet connectivity for the binaries systemd-resolved
and systemd-timesyncd
. All other connection requests will be blocked and require an manual exception.
services.opensnitch = {
enable = true;
rules = {
systemd-timesyncd = {
name = "systemd-timesyncd";
enabled = true;
action = "allow";
duration = "always";
operator = {
type ="simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
};
};
systemd-resolved = {
name = "systemd-resolved";
enabled = true;
action = "allow";
duration = "always";
operator = {
type ="simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-resolved";
};
};
};
};
Please refer upstream documentation for configuration syntax and additional examples.