pyrox.dev
1<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-firewall">
2 <title>Firewall</title>
3 <para>
4 NixOS has a simple stateful firewall that blocks incoming
5 connections and other unexpected packets. The firewall applies to
6 both IPv4 and IPv6 traffic. It is enabled by default. It can be
7 disabled as follows:
8 </para>
9 <programlisting language="bash">
10networking.firewall.enable = false;
11</programlisting>
12 <para>
13 If the firewall is enabled, you can open specific TCP ports to the
14 outside world:
15 </para>
16 <programlisting language="bash">
17networking.firewall.allowedTCPPorts = [ 80 443 ];
18</programlisting>
19 <para>
20 Note that TCP port 22 (ssh) is opened automatically if the SSH
21 daemon is enabled
22 (<literal>services.openssh.enable = true</literal>). UDP ports can
23 be opened through
24 <xref linkend="opt-networking.firewall.allowedUDPPorts" />.
25 </para>
26 <para>
27 To open ranges of TCP ports:
28 </para>
29 <programlisting language="bash">
30networking.firewall.allowedTCPPortRanges = [
31 { from = 4000; to = 4007; }
32 { from = 8000; to = 8010; }
33];
34</programlisting>
35 <para>
36 Similarly, UDP port ranges can be opened through
37 <xref linkend="opt-networking.firewall.allowedUDPPortRanges" />.
38 </para>
39</section>