Firewall setup in NixOS

Hello ppl! I’ve been researching how to configure a firewall on NixOS, and it seems that things are a bit primitive or too precarious.

For example, I found some links:

• Firewall
• Using a firewall on-demand (not declaratively)?
• Firewall source/destination IPs
• Is it possible to write custom rules to the NixOS firewall?
• Open firewall ports only towards local network?

But unfortunately, I didn’t find anything very relevant, such as allowing or blocking a specific IP. I found some hacks, but they seem too cumbersome.

Is it still the case in 2024 that we don’t have a simple and complete declarative Firewall solution for NixOS?

NixOS comes with a firewall fully configured by default, you should not have to touch it unless you’re doing something bespoke. Even if you run a server of some kind, the various NixOS modules open the relevant ports for you when you enable them.

For anything else, there’s the networking.firewall module.

If that isn’t enough, you can instead add the relevant iptables commands to extraCommands - this remains declarative, and about as “simple” as bespoke firewall configuration gets.

What exactly are you trying to achieve, and how is the firewall module falling short?

I am trying to make two machines communicate via CJDNS. When both machines connect to a common node, they should be able to communicate through the new IPv6 created by CJDNS. However, I need to open the service port (in this case, SSH port 22 for this specific IPv6) so that one machine can connect to the other. I can open port 22, but I would like to open it only for that machine and not for everyone.

Is the specific IPv6 address on a specific interface? If so you could simply use networking.firewall.interfaces.<ifname>.allowedTCPPorts.

If you really need to match the destination address, I think the best solution is to enable nftables (networking.nftables.enable) and add a rule to the input chain using networking.nftables.ruleset. IIRC the standard NixOS firewall rules will be merged with your own without any extra steps required.

Interesting. Is it possible to do this declaratively in the Nix configuration file? Do you think a more robust and complete solution for a fully declarative Firewall for NixOS will be developed in the future?

yes, read the comment above and use that option. what do you think “declarative” means?

Is it possible to do this declaratively in the Nix configuration file

Yes, I’ve just told you how. Use these options:

• networking.firewall.interfaces.<ifname>.allowedTCPPorts

• networking.nftables.ruleset

Do you think a more robust and complete solution for a fully declarative Firewall for NixOS will be developed in the future?

It’s already fully declaratively: you just define which ports to open or directly write your rules in the nftables syntax and the changes will be applied/rolled back when you activate the system.

If by more robust you mean a structural option instead of a stringly-typed one (à la RFC042), I don’t think so. There is actually someone trying to do so here, but IMHO this adds a huge amount of hard-to-maintain code to NixOS and it has to bend the nftables syntax considerably. So, I doubt it will ever be accepted.

If you’re worried about making mistakes, the ruleset is already checked at build time, so if you make a syntax error nixos-rebuild build will fail anyway.