Allowing ports on firewall seems to not be working

c0d3m0nky · April 13, 2026, 6:46am

I started having issues with my cloudflare tunnel (specifically regarding QUIC) and I tracked it down to my firewall. Previously I had it enabled with…

  networking.firewall = {
    enable = true; 
    allowedTCPPorts = [ 
      # PiHole
      53 
    ];
    allowedUDPPorts = [ 53 ];
  };

When I disabled it, the cloudflare issues went away, and I was able to use netcat with an echo server and get responses on the QUIC port 7844. So I added in my cloudflared.nix…

  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 7844 ];
    allowedUDPPorts = [ 7844 ];
  };

But the cloudflare tunnel issues come back and when I try to connect to my echo server with

nc -v <IP> 7844

I get

nc: connect to <IP> port 7844 (tcp) failed: Connection refused

c0d3m0nky · April 13, 2026, 7:39am

Some more context since I remembered that certain options do end up changing firewall rules. This is a dump to json of the final state of networking.firewall.

{
  "allInterfaces": {
    "default": {
      "allowedTCPPortRanges": [],
      "allowedTCPPorts": [
        22,
        53,
        80,
        81,
        443,
        7844,
        8000,
        8123,
        9003,
        9443
      ],
      "allowedUDPPortRanges": [],
      "allowedUDPPorts": [
        53,
        7844
      ]
    }
  },
  "allowPing": true,
  "allowedTCPPortRanges": [],
  "allowedTCPPorts": [
    22,
    53,
    80,
    81,
    443,
    7844,
    8000,
    8123,
    9003,
    9443
  ],
  "allowedUDPPortRanges": [],
  "allowedUDPPorts": [
    53,
    7844
  ],
  "autoLoadConntrackHelpers": false,
  "checkReversePath": true,
  "connectionTrackingModules": [],
  "enable": false,
  "extraCommands": "# Helper command to manipulate both the IPv4 and IPv6 tables.\nip46tables() {\n  iptables -w \"$@\"\n  ip6tables -w \"$@\"\n\n}\n\nip46tables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true\nip46tables -w -t nat -F nixos-nat-pre 2>/dev/null || true\nip46tables -w -t nat -X nixos-nat-pre 2>/dev/null || true\nip46tables -w -t nat -D POSTROUTING -j nixos-nat-post 2>/dev/null || true\nip46tables -w -t nat -F nixos-nat-post 2>/dev/null || true\nip46tables -w -t nat -X nixos-nat-post 2>/dev/null || true\nip46tables -w -t nat -D OUTPUT -j nixos-nat-out 2>/dev/null || true\nip46tables -w -t nat -F nixos-nat-out 2>/dev/null || true\nip46tables -w -t nat -X nixos-nat-out 2>/dev/null || true\nip46tables -w -t filter -D FORWARD -j nixos-filter-forward 2>/dev/null || true\nip46tables -w -t filter -F nixos-filter-forward 2>/dev/null || true\nip46tables -w -t filter -X nixos-filter-forward 2>/dev/null || true\n\n\n",
  "extraForwardRules": "",
  "extraInputRules": "",
  "extraPackages": [],
  "extraReversePathFilterRules": "",
  "extraStopCommands": "",
  "filterForward": false,
  "interfaces": {},
  "logRefusedConnections": true,
  "logRefusedPackets": false,
  "logRefusedUnicastsOnly": true,
  "logReversePathDrops": false,
  "package": "/nix/store/c0rsnkvnq4vgm23cva64h3jspqs1q7i9-iptables-1.8.11",
  "pingLimit": null,
  "rejectPackets": false,
  "trustedInterfaces": []
}

Currently enable is set to false because until I get this resolved I need to have it disabled

7844 is making it into there and nothing else stands out to me as being an issue

TLATER · April 13, 2026, 9:21am

Something else might be messing with iptables at runtime as well (e.g. docker, qemu, …), and not be clearly reflected in your NixOS config. That can have unexpected effects.

Double check that it is the firewall by checking kernel logs with dmesg -w, and then look at the effective rules by hand with iptables -L.

c0d3m0nky · April 13, 2026, 4:42pm

Ok, this just got more interesting. I just enabled it to look at what you suggested and both cloudflare tunnel and netcat are working. I wouldn’t call it intermittent since I’ve been trying to figure this out for a week and it’s consistently been a problem, but I’ll have to see if I can trigger it again with some reboots