Common options

Options

networking.nftables.firewall.enable

Name
networking.nftables.firewall.enable
Description

Whether to enable the zoned nftables based firewall.

Type
boolean
Default
false
Example
true
Declared in

modules/zoned.nix

networking.nftables.firewall.localZoneName

Name
networking.nftables.firewall.localZoneName
Description

A zone using this name will be defined that matches the traffic of the input and output nft chains. This zone must not be changed. If you need to further devide the traffic you can define new zones, that have this zone set as their parent.

Type
string
Default
"fw"
Declared in

modules/zoned.nix

networking.nftables.stopRuleset

Name
networking.nftables.stopRuleset
Description

The ruleset to be used with nftables. Should be in a format that can be loaded using “/bin/nft -f”. The ruleset is only applied, when the unit is stopped.

Type
strings concatenated with "\n"
Example
''
  # Check out https://wiki.nftables.org/ for better documentation.
  # Table for both IPv4 and IPv6.
  table inet filter {
    # Block all incomming connections traffic except SSH and "ping".
    chain input {
      type filter hook input priority 0;
  
      # accept any localhost traffic
      iifname lo accept
  
      # accept traffic originated from us
      ct state {established, related} accept
  
      # ICMP
      # routers may also want: mld-listener-query, nd-router-solicit
      ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
      ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
  
      # allow "ping"
      ip6 nexthdr icmpv6 icmpv6 type echo-request accept
      ip protocol icmp icmp type echo-request accept
  
      # accept SSH connections (required for a server)
      tcp dport 22 accept
  
      # count and drop any other traffic
      counter drop
    }
  
    # Allow all outgoing connections.
    chain output {
      type filter hook output priority 0;
      accept
    }
  
    chain forward {
      type filter hook forward priority 0;
      counter drop
    }
  }
''
Declared in

modules/nftables.nix

networking.nftables.stopRulesetFile

Name
networking.nftables.stopRulesetFile
Description

The ruleset file to be used with nftables. Should be in a format that can be loaded using “nft -f”. The ruleset is only applied, when the unit is stopped.

Type
path
Default
pkgs.writeTextFile {
  name = "nftables-rules";
  text = config.networking.nftables.stopRuleset;
};
Declared in

modules/nftables.nix