Skip to content

Instantly share code, notes, and snippets.

@grische

grische/Variant 1 Secret

Last active April 26, 2019 12:36
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save grische/a7325d60b27abb2c32a8f79e036ee12c to your computer and use it in GitHub Desktop.
Save grische/a7325d60b27abb2c32a8f79e036ee12c to your computer and use it in GitHub Desktop.
Download ZIP
Struggling with NixOS fw rules
Raw
Variant 1
firewall = {
enable = true;
allowedTCPPorts = [ 22 ];
allowPing = true;
rejectPackets = true;
interfaces = {
eth0 = {
allowedTCPPorts = [];
};
};
};
======================
$ iptables -Lnixos-fw -v
Chain nixos-fw (1 references)
pkts bytes target prot opt in out source destination
0 0 nixos-fw-accept all -- lo any anywhere anywhere
8 488 nixos-fw-accept all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 nixos-fw-accept tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 nixos-fw-accept tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 nixos-fw-accept icmp -- any any anywhere anywhere icmp echo-request
1 177 nixos-fw-log-refuse all -- any any anywhere anywhere
Raw
Variant 2
firewall = {
enable = true;
allowedTCPPorts = [ 22 ];
allowPing = true;
rejectPackets = true;
extraCommands = "ip46tables -A nixos-fw -i eth0 -j DROP";
};
======================
$ iptables -Lnixos-fw -v
Chain nixos-fw (1 references)
pkts bytes target prot opt in out source destination
0 0 nixos-fw-accept all -- lo any anywhere anywhere
8 488 nixos-fw-accept all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 nixos-fw-accept tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 nixos-fw-accept tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 nixos-fw-accept icmp -- any any anywhere anywhere icmp echo-request
0 0 DROP all -- eth0 any anywhere anywhere
1 177 nixos-fw-log-refuse all -- any any anywhere anywhere
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment