My NixOS Firewall isn't Firewalling

Tobi696 · July 20, 2024, 9:24pm

I have a server running NixOS with a very simple configuration.nix:

{ config, pkgs, ... }:

{
  imports = [
    ./hardware-configuration.nix    
  ];

  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
  networking.hostName = "server";
  networking.networkmanager.enable = true;
  networking.domain = "";
  services.openssh.enable = true;
  system.stateVersion = "23.11";

  environment.systemPackages = with pkgs; [
    vim
    docker
    docker-compose
    git
    bash
  ];

  users.users.root.extraGroups = [ "docker" ];
  services.xserver.enable = true;
  virtualisation.docker.enable = true;
  virtualisation.docker.rootless = {
    enable = true;
    setSocketVariable = true;
  };

  networking.firewall.allowedTCPPorts = [ 80 443 22 ];
  networking.firewall.enable = true;
}

As I understand, the configuration should only allow external access to ports 80, 443 and 22, however, when I run a service on my server that opens, port 8000 e.g., I can still access it (Firewall seems to malfunction). What am I doing wrong?

MaxHearnden · July 20, 2024, 9:51pm

Local traffic (same host) is routed through the loopback interface which isn’t filtered by default. In addition, various services add the ports used to the firewall (search in search.nixos.org for an option).

If local traffic should also be blocked, try setting networking.firewall.trustedInterfaces = lib.mkForce [];

Shawn8901 · July 20, 2024, 10:05pm

As you are not further specifying what you mean by “When i run a service”, i just want to make you aware that in case you mean a service that uses network via a nixos module, it might get a firewall rule due to the module (so in case you are using that).
Some modules has a openFirewall option with some of them set true as default here, which you can disable when setting it explicitly to false.
If that option is not available you can still mkForce the allowedTCPPorts, but please use such options with care, as you might lock out yourself (e.G. when blocking SSH and you dont have access to a serial console then).

Tobi696 · July 21, 2024, 6:33am

Thanks for the reply so far. As you can see I got docker installed and a service I’m running for example is a nextjs application hosted in a docker container running on port 3000, while I have another Caddy container used for reverse proxies running on ports 80 and 443.

These are the links (ignore Website content):
https://appjoy.at (intended)
http://appjoy.at:3000 (unintended)

Tobi696 · July 21, 2024, 6:36am

Thanks for your reply! If I got it right, I don’t think I am using same host traffic and therefore the loopback interface as I have a domain and access my server with the firewall config from another machine. You can try yourself:

Please ignore website content:
https://appjoy.at
http://appjoy.at:3000

misuzu · July 21, 2024, 7:31am

This is actually a docker issue: Docker Network bypasses Firewall, no option to disable · Issue #22054 · moby/moby · GitHub
Try this: Publishing docker ports to 127.0.0.1 instead of 0.0.0.0 – brokkr.net

Tobi696 · July 21, 2024, 9:00am

Didn’t know about that, thanks!