Files
nextcloud_ecosystem/OLD CONFIGS/nix_new/modules/nixos/networking/firewall.nix
T
2026-02-22 17:28:02 +01:00

58 lines
1.9 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{ config, lib, pkgs, ... }:
let
moduleName = "nixos-firewall";
# Why:
# - You had LAN-specific allow rules. Keeping the CIDR as a single variable
# makes it easy to override per-host or per-network later.
#
# If your LAN changes, override this value in hosts/<host>/networking.nix.
homeLanCidr = "192.168.2.0/24";
in
{
# Why:
# - Use nftables backend (modern default direction).
# - Matches your existing config and plays nicely with custom rules.
networking.nftables.enable = true;
networking.firewall = {
enable = true;
# Why:
# - Strong baseline: nothing inbound is open unless explicitly allowed.
# - You then selectively allow what you need (SSH ports live in sshd.nix).
allowedTCPPorts = [ ];
allowedUDPPorts = [ ];
# Why:
# - These are “quality of life” LAN services you had already:
# - KDE Connect: TCP/UDP 1714-1764
# - mDNS: UDP 5353 (printer discovery / Avahi-style discovery)
#
# Notes:
# - These rules ONLY allow traffic originating from homeLanCidr.
# - On other networks they effectively do nothing.
# - If you dont use KDE Connect or mDNS, delete these blocks.
extraInputRules = ''
# KDE Connect (TCP/UDP 1714-1764) from home LAN
ip saddr ${homeLanCidr} tcp dport 1714-1764 accept
ip saddr ${homeLanCidr} udp dport 1714-1764 accept
# mDNS / discovery (UDP 5353) from home LAN
ip saddr ${homeLanCidr} udp dport 5353 accept
'';
# Optional baseline knobs (kept conservative):
#
# Why:
# - Logging refused packets can be noisy on laptops that roam networks.
# - Leave disabled by default; enable temporarily for debugging.
logRefusedConnections = lib.mkDefault false;
};
# Optional: leave a breadcrumb in /etc for debugging module load order
# (handy while refactoring; remove once stable).
environment.etc."nixlog/loaded.${moduleName}".text = "loaded\n";
}