# Rules
Rules define what should happen with the trafiic matched by the zones.
Each rule has a list of `from` zones and `to` zones.
A rule only gets applied, if the traffic in question originated in one of the `from` zones and is heading to one of the `to` zones.
If matched, the rule can define ports to open, a terminating `verdict` or any custom `nft` rules by using `extraLines`.
Rules are applied from most specific to least specific, traversing the `from` side before the `to` side.
To allow for more complex setups (mostly custom drop/reject rules) rules are applied in multipe passes.
Each `rule` has a `ruleType`.
Rules are gruped by their type and applied in these groups, so that all rules are applied for the first type, before rules of the next type are taken into consideration.
## Options
### networking.nftables.firewall.rules
Name
```
networking.nftables.firewall.rules
```
Description
This option has no description.
Type
```
attribute set of (submodule)
```
Default
```
{ }
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.rules.<name>.after
Name
```
networking.nftables.firewall.rules.
.after
```
Description
This option has no description.
Type
```
non-empty (list of string)
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.rules.<name>.allowedTCPPortRanges
Name
```
networking.nftables.firewall.rules.
.allowedTCPPortRanges
```
Description
This option has no description.
Type
```
list of (submodule)
```
Default
```
[ ]
```
Example
```
[ { from = 1337; to = 1347; } ]
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.rules.<name>.allowedTCPPortRanges.*.from
Name
```
networking.nftables.firewall.rules.
.allowedTCPPortRanges.*.from
```
Description
This option has no description.
Type
```
16 bit unsigned integer; between 0 and 65535 (both inclusive)
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.rules.<name>.allowedTCPPortRanges.*.to
Name
```
networking.nftables.firewall.rules.
.allowedTCPPortRanges.*.to
```
Description
This option has no description.
Type
```
16 bit unsigned integer; between 0 and 65535 (both inclusive)
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.rules.<name>.allowedTCPPorts
Name
```
networking.nftables.firewall.rules.
.allowedTCPPorts
```
Description
This option has no description.
Type
```
list of signed integer
```
Default
```
[ ]
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.rules.<name>.allowedUDPPortRanges
Name
```
networking.nftables.firewall.rules.
.allowedUDPPortRanges
```
Description
This option has no description.
Type
```
list of (submodule)
```
Default
```
[ ]
```
Example
```
[ { from = 55000; to = 56000; } ]
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.rules.<name>.allowedUDPPortRanges.*.from
Name
```
networking.nftables.firewall.rules.
.allowedUDPPortRanges.*.from
```
Description
This option has no description.
Type
```
16 bit unsigned integer; between 0 and 65535 (both inclusive)
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.rules.<name>.allowedUDPPortRanges.*.to
Name
```
networking.nftables.firewall.rules.
.allowedUDPPortRanges.*.to
```
Description
This option has no description.
Type
```
16 bit unsigned integer; between 0 and 65535 (both inclusive)
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.rules.<name>.allowedUDPPorts
Name
```
networking.nftables.firewall.rules.
.allowedUDPPorts
```
Description
This option has no description.
Type
```
list of signed integer
```
Default
```
[ ]
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.rules.<name>.before
Name
```
networking.nftables.firewall.rules.
.before
```
Description
This option has no description.
Type
```
non-empty (list of string)
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.rules.<name>.early
Name
```
networking.nftables.firewall.rules.
.early
```
Description
This option has no description.
Type
```
boolean
```
Default
```
false
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.rules.<name>.enable
Name
```
networking.nftables.firewall.rules.
.enable
```
Description
This option has no description.
Type
```
boolean
```
Default
```
true
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.rules.<name>.extraLines
Name
```
networking.nftables.firewall.rules.
.extraLines
```
Description
This option has no description.
Type
```
list of string
```
Default
```
[ ]
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.rules.<name>.from
Name
```
networking.nftables.firewall.rules.
.from
```
Description
This option has no description.
Type
```
value "all" (singular enum) or list of string
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.rules.<name>.ignoreEmptyRule
Name
```
networking.nftables.firewall.rules.
.ignoreEmptyRule
```
Description
Usually rules without effect will fail the build.
Enable this switch to suppress the check for this rule.
Type
```
boolean
```
Default
```
false
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.rules.<name>.late
Name
```
networking.nftables.firewall.rules.
.late
```
Description
This option has no description.
Type
```
boolean
```
Default
```
false
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.rules.<name>.ruleType
Name
```
networking.nftables.firewall.rules.
.ruleType
```
Description
The type of the rule specifies when rules are applied.
The rules are applied in the following order:
`ban` then `rule` then `policy`
Usually most rules are of the type `rule`, the other types are mostly
intended to specify special drop/reject rules.
Type
```
one of "ban", "rule", "policy"
```
Default
```
"rule"
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.rules.<name>.to
Name
```
networking.nftables.firewall.rules.
.to
```
Description
This option has no description.
Type
```
value "all" (singular enum) or list of string
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.rules.<name>.verdict
Name
```
networking.nftables.firewall.rules.
.verdict
```
Description
This option has no description.
Type
```
null or one of "accept", "drop", "reject"
```
Default
```
null
```
Declared in
modules/zoned.nix