NixOS default network protections

I know that Nixos by default blocks listening all ports and it’s an unwritten policy that no module should open ports.
What other security network protections Nixos put on by default?

But don’t the SSH and httpd modules do exactly that? Once enabled, they open the port?

Only ssh opens ports by default.

Ah, okay, then I misunderstood something. I don’t have anything enabled except for SSH so far.

Many modules have an openFirewall option. Maybe you were thinking about that?

Mostly I wanted to know if there were any other gotchas in the default network configuration.