pyrox.dev
1<section xmlns="http://docbook.org/ns/docbook"
2 xmlns:xlink="http://www.w3.org/1999/xlink"
3 xmlns:xi="http://www.w3.org/2001/XInclude"
4 version="5.0"
5 xml:id="sec-firewall">
6
7<title>Firewall</title>
8
9<para>NixOS has a simple stateful firewall that blocks incoming
10connections and other unexpected packets. The firewall applies to
11both IPv4 and IPv6 traffic. It is enabled by default. It can be
12disabled as follows:
13
14<programlisting>
15networking.firewall.enable = false;
16</programlisting>
17
18If the firewall is enabled, you can open specific TCP ports to the
19outside world:
20
21<programlisting>
22networking.firewall.allowedTCPPorts = [ 80 443 ];
23</programlisting>
24
25Note that TCP port 22 (ssh) is opened automatically if the SSH daemon
26is enabled (<option>services.openssh.enable = true</option>). UDP
27ports can be opened through
28<option>networking.firewall.allowedUDPPorts</option>. Also of
29interest is
30
31<programlisting>
32networking.firewall.allowPing = true;
33</programlisting>
34
35to allow the machine to respond to ping requests. (ICMPv6 pings are
36always allowed.)</para>
37
38</section>