Firewall
Appearance
	
	
NixOS provides an interface to configure the firewall through the option networking.firewall.
Whether the firewall is based on Nftables or iptables depends on the value of config.networking.nftables.enable.
Enable
To enable the firewall, simply put following code into your system configuration
❄︎ /etc/nixos/configuration.nix
networking.firewall.enable = true;
This will make all local ports and services unreachable from external connections.
Configuration
To allow specific TCP/UDP ports or port ranges on all interfaces, you can use following syntax:
networking.firewall = {
  enable = true;
  allowedTCPPorts = [ 80 443 ];
  allowedUDPPortRanges = [
    { from = 4000; to = 4007; }
    { from = 8000; to = 8010; }
  ];
};
Note: Many services also provide an option to open required firewall ports automatically. For example, the media server Jellyfin offers the option 
services.jellyfin.openFirewall = true; which will open required TCP ports.Interface specific firewall rules can be applied like this
networking.firewall.interfaces."eth0".allowedTCPPorts = [ 80 443 ];
In this case, ports 80 and 443 will be allowed for the interface eth0.
Warning
Firewall rules may be overwritten by docker, as per https://github.com/NixOS/nixpkgs/issues/111852
