Official NixOS Wiki

Firewall

Revision as of 21:53, 26 November 2025 by Kacper (talk | contribs) (Add a section on how to configure the nftables firewall with more fine-grained rules than just 'allowed ports'.)

NixOS includes an integrated firewall based on iptables/nftables, which can be configured declaratively through the NixOS system configuration. By default, the firewall is enabled and restricts incoming network connections, allowing users to explicitly define which ports and services should be accessible.

Enable

The firewall is enabled by default on NixOS. To explicitly ensure it is enabled, add the following option to your system configuration:

❄︎ /etc/nixos/configuration.nix
  networking.firewall.enable = true;

With the firewall enabled, all local ports and services will be unreachable from external connections unless explicitly allowed.

To use the newer nftables backend instead of iptables, set the option networking.nftables.enable to true.

Configuration

To allow specific TCP/UDP ports or port ranges on all interfaces, use following syntax:

❄︎ /etc/nixos/configuration.nix
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 80 443 ];
    allowedUDPPortRanges = [
      { from = 4000; to = 4007; }
      { from = 8000; to = 8010; }
    ];
  };

Refer to networking.firewall for more firewall module options.

Note: Many services also provide an option to open the required firewall ports automatically. For example, the media server Jellyfin offers the option services.jellyfin.openFirewall = true; which will open the required TCP ports.
⚠︎
Warning: Firewall rules may be overwritten by Docker, as per https://github.com/NixOS/nixpkgs/issues/111852

Interface specific rules

It is possible to define firewall rules for specific network interfaces. This can be useful for allowing different ports or services on different network connections. Add the following to your system configuration:

❄︎ /etc/nixos/configuration.nix
  networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ];

In this case, ports 80 and 443 will be allowed for the interface eth0.

Advanced Configuration

Some users may want more fine-grained control of how their firewall is configured. This can, when using nftables, be achieved by defining custom tables and chains through networking.nftables.tables.

It is important to say that a nixos-fw table with multiple chains will be generated by setting networking.nftables.enable to true. These chains can be modified with extra rules through various options within networking.firewall. If possible, try to stick to these when customizing generated rules, as trying to dynamically delete and overwrite them at activation time can be very error-prone.

For instance, to expose a TCP port only to your local IPv4 and IPv6 subnets, add the following to your configuration:

❄︎ /etc/nixos/configuration.nix
    networking.firewall.extraInputRules = ''
      ip saddr 130.236.254.0/24 tcp dport 6600 accept
      ip6 saddr 2001:6b0:17:f0a0::/64 tcp dport 6600 accept
    '';

This will add the two specified rules to the input-allow chain in the nixos-fw table. You should of, course replace, the port and subnets with your own.

Tips and tricks

Log all dropped/rejected network packets

On a vanilla NixOS install, the networking.firewall.logRefusedPackets = true; stanza lets you see lines in syslog with the prefix refused packet:, once you sudo nixos-rebuild switch and then sudo dmesg --follow --human | grep 'refused packet:'.

Temporary firewall rules

If using iptables, for temporary changes to the firewall rules, you can install the nixos-firewall-tool package, which is a thin wrapper around iptables.

Retrieved from "https://wiki.nixos.org/w/index.php?title=Firewall&oldid=28756"