# {{{autogen}}} { pkgs, ... }: { # Use nftables as the firewall backend networking.nftables.enable = true; networking.firewall = { enable = true; filterForward = false; # don't filter forwarded traffic # outbound is allowed by default UNLESS you've set: # LAN-only ports — Wi-Fi interface interfaces."wlan0" = { allowedTCPPorts = [ 22 # SSH 80 # allow HTTP globally for outbound 443 # allow HTTPS globally for outbound 631 # CUPS / IPP network printing 9100 # AppSocket/JetDirect printing 6566 # SANE network scanner 57621 # Spotify Connect 57622 # Spotify local file sync ]; allowedTCPPortRanges = [ { from = 1714; to = 1764; } # KDE Connect ]; allowedUDPPorts = [ 5353 # mDNS / Avahi (printer + device discovery) 631 # CUPS / IPP 67 # DHCP 123 # NTP time sync 1900 # UPnP device discovery 57621 # Spotify Connect ]; allowedUDPPortRanges = [ { from = 1714; to = 1764; } # KDE Connect ]; }; # LAN-only ports — ethernet (ready for when you plug in) interfaces."enp0s31f6" = { allowedTCPPorts = [ 631 # CUPS / IPP network printing 9100 # AppSocket/JetDirect printing 6566 # SANE network scanner 57621 # Spotify Connect 57622 # Spotify local file sync ]; allowedTCPPortRanges = [ { from = 1714; to = 1764; } # KDE Connect ]; allowedUDPPorts = [ 5353 # mDNS / Avahi (printer + device discovery) 631 # CUPS / IPP 67 # DHCP 123 # NTP time sync 1900 # UPnP device discovery 57621 # Spotify Connect ]; allowedUDPPortRanges = [ { from = 1714; to = 1764; } # KDE Connect ]; }; }; # CLI tool for temporary rule changes without rebuilding # Usage: sudo nixos-firewall-tool open tcp 8080 environment.systemPackages = with pkgs; [ nixos-firewall-tool ]; }