pyrox.dev
1<section xmlns="http://docbook.org/ns/docbook"
2 xmlns:xlink="http://www.w3.org/1999/xlink"
3 xmlns:xi="http://www.w3.org/2001/XInclude"
4 version="5.0"
5 xml:id="sec-firewall">
6
7<title>Firewall</title>
8
9<para>NixOS has a simple stateful firewall that blocks incoming
10connections and other unexpected packets. The firewall applies to
11both IPv4 and IPv6 traffic. It is enabled by default. It can be
12disabled as follows:
13
14<programlisting>
15networking.firewall.enable = false;
16</programlisting>
17
18If the firewall is enabled, you can open specific TCP ports to the
19outside world:
20
21<programlisting>
22networking.firewall.allowedTCPPorts = [ 80 443 ];
23</programlisting>
24
25Note that TCP port 22 (ssh) is opened automatically if the SSH daemon
26is enabled (<option>services.openssh.enable = true</option>). UDP
27ports can be opened through
28<option>networking.firewall.allowedUDPPorts</option>.</para>
29
30<para>To open ranges of TCP ports:
31
32<programlisting>
33networking.firewall.allowedTCPPortRanges = [
34 { from = 4000; to = 4007; }
35 { from = 8000; to = 8010; }
36];
37</programlisting>
38
39Similarly, UDP port ranges can be opened through
40<option>networking.firewall.allowedUDPPortRanges</option>.</para>
41
42<para>Also of interest is
43
44<programlisting>
45networking.firewall.allowPing = true;
46</programlisting>
47
48to allow the machine to respond to ping requests. (ICMPv6 pings are
49always allowed.)</para>
50
51</section>