# Common options

## Options

### networking.nftables.firewall.enable

<div class="nixopt">

<div class="fieldname">Name</div>

```
networking.nftables.firewall.enable
```

<div class="fieldname">Description</div>

Whether to enable the zoned nftables based firewall.

<div class="fieldname">Type</div>

```
boolean
```


<div class="fieldname">Default</div>

```
false
```


<div class="fieldname">Example</div>

```
true
```



<div class="fieldname">Declared in</div>


<a href="https://github.com/thelegy/nixos-nftables-firewall/blob/main/modules/zoned.nix" target="_blank">modules/zoned.nix</a>



</div>

### networking.nftables.firewall.localZoneName

<div class="nixopt">

<div class="fieldname">Name</div>

```
networking.nftables.firewall.localZoneName
```

<div class="fieldname">Description</div>

A zone using this name will be defined that matches the traffic of the
`input` and `output` nft chains. This zone must not be changed. If you
need to further devide the traffic you can define new zones, that have
this zone set as their parent.


<div class="fieldname">Type</div>

```
string
```


<div class="fieldname">Default</div>

```
"fw"
```





<div class="fieldname">Declared in</div>


<a href="https://github.com/thelegy/nixos-nftables-firewall/blob/main/modules/zoned.nix" target="_blank">modules/zoned.nix</a>



</div>

### networking.nftables.stopRuleset

<div class="nixopt">

<div class="fieldname">Name</div>

```
networking.nftables.stopRuleset
```

<div class="fieldname">Description</div>

The ruleset to be used with nftables.  Should be in a format that
can be loaded using "/bin/nft -f".  The ruleset is only applied,
when the unit is stopped.


<div class="fieldname">Type</div>

```
strings concatenated with "\n"
```




<div class="fieldname">Example</div>

```
''
  # Check out https://wiki.nftables.org/ for better documentation.
  # Table for both IPv4 and IPv6.
  table inet filter {
    # Block all incomming connections traffic except SSH and "ping".
    chain input {
      type filter hook input priority 0;
  
      # accept any localhost traffic
      iifname lo accept
  
      # accept traffic originated from us
      ct state {established, related} accept
  
      # ICMP
      # routers may also want: mld-listener-query, nd-router-solicit
      ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
      ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
  
      # allow "ping"
      ip6 nexthdr icmpv6 icmpv6 type echo-request accept
      ip protocol icmp icmp type echo-request accept
  
      # accept SSH connections (required for a server)
      tcp dport 22 accept
  
      # count and drop any other traffic
      counter drop
    }
  
    # Allow all outgoing connections.
    chain output {
      type filter hook output priority 0;
      accept
    }
  
    chain forward {
      type filter hook forward priority 0;
      counter drop
    }
  }
''
```



<div class="fieldname">Declared in</div>


<a href="https://github.com/thelegy/nixos-nftables-firewall/blob/main/modules/nftables.nix" target="_blank">modules/nftables.nix</a>



</div>

### networking.nftables.stopRulesetFile

<div class="nixopt">

<div class="fieldname">Name</div>

```
networking.nftables.stopRulesetFile
```

<div class="fieldname">Description</div>

The ruleset file to be used with nftables.  Should be in a format that
can be loaded using "nft -f".  The ruleset is only applied,
when the unit is stopped.


<div class="fieldname">Type</div>

```
path
```


<div class="fieldname">Default</div>

```
pkgs.writeTextFile {
  name = "nftables-rules";
  text = config.networking.nftables.stopRuleset;
};

```





<div class="fieldname">Declared in</div>


<a href="https://github.com/thelegy/nixos-nftables-firewall/blob/main/modules/nftables.nix" target="_blank">modules/nftables.nix</a>



</div>