Firewall blocking windows but not linux

rtk · March 31, 2026, 4:15pm

I am configuring my nixos firewall to allow port 5000 to be accepted because i am using flask to make a simple web server on my LAN. And yes, i configured flask to use 0.0.0.0.

When i use this config:

  networking.nftables.enable = true;
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 53317 5000 ]; # localsend, flask
    allowedUDPPorts = [ 53317 5000 ]; # localsend
  };

It works for my phones to connect on my lan ip + port 5000. However, my windows computer is unable to connect. If i disable the firewall by setting networking.firewall.enable = false it works, however I do not find this acceptable because it isn’t good in terms of security. pingworks on the mobile devices (using termux), but it does not work on windows. If I disable the firewall, it works on windows.

My nixos computer running the sever is connected via ethernet to my network. My phones and windows computer are conencted to that network via the same WiFi network. I’m not sure what windows is doing that causes it to be rejected by my server (i presume). If i reboot the windows machine into linux (nixos), and use ping or curl with http & port 5000, it works. It seems to be a windows problem.

My main pain is the lack of feedback from my computer. it either works or it doesn’t. I tried enabling logging but my http requests did not seem to correspond to anything in the logs (no new logs appeared)

linus307 · March 31, 2026, 6:27pm

Unrelated but if you just use this on your home network, you should rather use more strict rules, something like this:

networking = {
  nftables.enable = true;
  firewall = {
    extraInputRules = ''
      ip saddr 192.0.0.1/24 tcp dport 5000 accept
    '';
  };
};

And also, I would only listen on the local ip address.

TLATER · April 1, 2026, 3:26am

dmesg -w will give you kernel logs. Since the firewall is part of the kernel, and rejects requests before the http layer, blocked requests are logged there, not by your http server.

Certainly seems like it.

rtk · April 1, 2026, 8:17pm

Strangely, my issue seems to have disappeared by itself, which is quite annoying. Does allowedTCP/UDPPorts act on any IP, not just LAN?

Also, can I use # to make comments within extraInputRules?

rtk · April 1, 2026, 8:17pm

I was using journalctl -k, is that fine?

rtk · April 1, 2026, 8:34pm

I’m not actually sure. It’s been a day and now my windows computer can access my server, but my brother’s windows computer cannot. In the kernel logs it says that a connection (from my brother’s pc afaik) has been blocked. It should be allowed under the 192.168.0.0/24 tcp dport 5000 accept since its ip starts with 192.168.0. This issue is really hard to debug because it sometimes works and sometimes doesn’t, even with the same config :\. All of a sudden now, after disabling firewall and reenabling it, my brother can access the server, which is annoying

linus307 · April 2, 2026, 3:50pm

AFAIK that is the case. There is networking.firewall.interfaces.<name>.allowedTCPPorts which obviously is not enabling the port for all interfaces but at this point I just write custom rules.

And yes you can use # for comments because it will act as a comment in the resulting nft config (which also uses # for comments)