nixos-demo/os/network/firewall.nix

{ ... }:

{
  networking.firewall.enable = true;
  networking.firewall.allowPing = true;
  networking.nftables.enable = false;
  networking.nftables.tables = {
    filter = {
      content = ''
        # Check out https://wiki.nftables.org/ for better documentation.
        # Table for both IPv4 and IPv6.
        chain input {
          type filter hook input priority 0;

          # accept any localhost traffic
          iifname lo accept

          # accept traffic originated from us
          ct state {established, related} accept

          # ICMP
          # routers may also want: mld-listener-query, nd-router-solicit
          ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
          ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept

          # allow "ping"
          ip6 nexthdr icmpv6 icmpv6 type echo-request accept
          ip protocol icmp icmp type echo-request accept

          # count and drop any other traffic
          counter drop
        }

        # Allow all outgoing connections.
        chain output {
          type filter hook output priority 0;
          accept
        }

        chain forward {
          type filter hook forward priority 0;
          accept
        }
      '';
      family = "inet";
    };
  };
}
bridge and nat network options added 2025-07-14 16:03:37 +02:00			`{ ... }:`
initial cleaned up config 2025-07-12 00:28:21 +02:00
			`{`
			`networking.firewall.enable = true;`
			`networking.firewall.allowPing = true;`
			`networking.nftables.enable = false;`
			`networking.nftables.tables = {`
			`filter = {`
			`content = ''`
			`# Check out https://wiki.nftables.org/ for better documentation.`
			`# Table for both IPv4 and IPv6.`
			`chain input {`
			`type filter hook input priority 0;`

			`# accept any localhost traffic`
			`iifname lo accept`

			`# accept traffic originated from us`
			`ct state {established, related} accept`

			`# ICMP`
			`# routers may also want: mld-listener-query, nd-router-solicit`
			`ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept`
			`ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept`

			`# allow "ping"`
			`ip6 nexthdr icmpv6 icmpv6 type echo-request accept`
			`ip protocol icmp icmp type echo-request accept`

			`# count and drop any other traffic`
			`counter drop`
			`}`

			`# Allow all outgoing connections.`
			`chain output {`
			`type filter hook output priority 0;`
			`accept`
			`}`

			`chain forward {`
			`type filter hook forward priority 0;`
			`accept`
			`}`
			`'';`
			`family = "inet";`
			`};`
			`};`
			`}`