Global knob to always set openFirewall false?

Hi, I was wondering if a global setting existed to always set openFirewall options to false?

This would be very useful to me at least, I’m sometimes using a VPN with static public IPv4 on it, and it happened I exposed services on it because a service received an openFirewall attribute defaulting to true, or that I overlooked the setting entirely.

Do you think it would be worth adding to the options in the firewall service?

I don’t think so, you might want to change the default in the module though. I don’t think it is a good idea for it to default to true.

We have an unwritten policy that openFirewall must always default to false *except" for the the openssh service. Any deviation from this is a bug and should either be reported or fixed.


this sounds more reasonable to me :slight_smile:

1 Like

new PR at make openFirewall options to false for NixOS services by rapenne-s · Pull Request #204618 · NixOS/nixpkgs · GitHub
because I failed my rebase…

1 Like

Related fallout PR at nixos/avahi: revert closing firewall port by default by SuperSandro2000 · Pull Request #205399 · NixOS/nixpkgs · GitHub (posted my comment there)