Firewall
NixOS provides an interface to configure the firewall through the option networking.firewall.
The default firewall uses iptables. To use the newer nftables instead, additionally set networking.nftables.enable = true;
Enable
The firewall is enabled when not set. To explicitly enable it add the following into your system configuration:
networking.firewall.enable = true;
This will make all local ports and services unreachable from external connections.
Configuration
To allow specific TCP/UDP ports or port ranges on all interfaces, use following syntax:
networking.firewall = {
  enable = true;
  allowedTCPPorts = [ 80 443 ];
  allowedUDPPortRanges = [
    { from = 4000; to = 4007; }
    { from = 8000; to = 8010; }
  ];
};
services.jellyfin.openFirewall = true; which will open the required TCP ports.Interface-specific firewall rules can be applied like this:
networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ];
In this case, ports 80 and 443 will be allowed for the interface eth0.
For temporary changes to the firewall rules, you can use the nixos-firewall-tool command.
Warning
Firewall rules may be overwritten by Docker, as per https://github.com/NixOS/nixpkgs/issues/111852
