37 lines
1.3 KiB
XML
37 lines
1.3 KiB
XML
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-firewall">
|
|
<title>Firewall</title>
|
|
|
|
<para>
|
|
NixOS has a simple stateful firewall that blocks incoming connections and
|
|
other unexpected packets. The firewall applies to both IPv4 and IPv6 traffic.
|
|
It is enabled by default. It can be disabled as follows:
|
|
<programlisting>
|
|
<xref linkend="opt-networking.firewall.enable"/> = false;
|
|
</programlisting>
|
|
If the firewall is enabled, you can open specific TCP ports to the outside
|
|
world:
|
|
<programlisting>
|
|
<xref linkend="opt-networking.firewall.allowedTCPPorts"/> = [ 80 443 ];
|
|
</programlisting>
|
|
Note that TCP port 22 (ssh) is opened automatically if the SSH daemon is
|
|
enabled (<option><xref linkend="opt-services.openssh.enable"/> =
|
|
true</option>). UDP ports can be opened through
|
|
<xref linkend="opt-networking.firewall.allowedUDPPorts"/>.
|
|
</para>
|
|
|
|
<para>
|
|
To open ranges of TCP ports:
|
|
<programlisting>
|
|
<xref linkend="opt-networking.firewall.allowedTCPPortRanges"/> = [
|
|
{ from = 4000; to = 4007; }
|
|
{ from = 8000; to = 8010; }
|
|
];
|
|
</programlisting>
|
|
Similarly, UDP port ranges can be opened through
|
|
<xref linkend="opt-networking.firewall.allowedUDPPortRanges"/>.
|
|
</para>
|
|
</section>
|