One of the most annoying things is when you install a package (such as OpenSSH server) and it immediately starts running. That really grinds my gears. I expect packages to be installed disabled by default and require me to explicitly enable and run them.
Recently I enabled wireguard in NixOS and to my surprise it was working. I was expecting it to fail because I hadn't opened the wireguard port in the firewall yet. Turns out, NixOS automatically opens ports when you enable a service (such as wireguard). This "helpful" behavior was a shock to me as I am used to having to manually enable ports in my firewall, and made me feel very uncomfortable and annoyed.
First, a bit of context. So, NixOS comes with its own firewall enabled by default. According to the wiki, the NixOS firewall is implemented as a set of iptables/nftables rules.
What this means: if networking.firewall.enable is set to true, and it is set to true by default, then NixOS will write its own set of firewall rules and insert those into your firewall.
You can see this yourself. Enable the NixOS firewall, and then run iptables-save or nft list ruleset, and you will see a whole bunch of tables that NixOS generates for you.
If you set networking.firewall.enable to false, then you will have no rules in your firewall. You can verify this by running nft list ruleset and iptables-save. You will see no output. This means no rules are active and all traffic is being allowed through. You have no firewall.
What I wanted was to configure my own firewall rules completely. I want to control all of it. I didn't want NixOS "helpfully" opening ports and creating all these new tables. I wanted to have full control over exactly what is in my nftables ruleset.
The way to do this, if you want to control your firewall using nftables rules, is quite simple: https://github.com/reckenrode/nixos-configs/blob/7b4d979b9a18dcaeb9390cfe77eb2f1891d04380/modules/unit/fi/firewall/nixos-module.nix
1 2 3 4 5 6 7 8 9 10 11 12 | {
networking.firewall.enable = false;
networking.nftables.enable = true;
networking.nftables.flushRuleset = true;
networking.nftables.ruleset = ''
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
}
}
'';
}
|
And there you go! Put that in your configuration.nix and do a nixos-rebuild switch and you should see your nft list ruleset and iptables-save output be exactly what you expect! You have finally regained control over your firewall!
No comments:
Post a Comment