I have been alternating between networking.firewall.allowedTCPPorts
to networking.nftables.ruleset = ...
depending on whether I needed more advanced expressions that are not covered by the former.
Recently I discovered networking.nftables.tables.filter...
and tested it in a deployment. However, I don’t like the (lack of) modularity this brings.
For instance, I used to declare my global firewall in fw.nix
, but e.g. nomad
specific rules in nomad.nix
, which I prefer as a paradigm, because if I stop importing nomad.nix
in configuration.nix
automatically all nomad-related config will not be considered. (This paradigm should always be the way to factor a NixOS config IMO).
It appears I cannot mix . In other words, it’s still a bit messy and not well documented which nftables.tables
and firewall.allowed....
(which of course makes sense)firewall....
attributes constitute completely different config methods.
So which one is the “preferred” NixOS-native method that simultaneously supports more advanced (e.g. “state based rules” like for established
etc.)?
EDIT: actually it appears that it’s possible to mix “high level” things like allowedTCPPorts
with tables
, the former will be added to table inet nixos-fw
in chain input-allow
, BUT they may get bypassed if there are jump
s in the tables
rules, so it’s difficult to not mess up…