69 lines
2.0 KiB
Nix
69 lines
2.0 KiB
Nix
# --- This file has been auto-generated. For permanent changes alter the appropriate block in the README.org. ---
|
|
{ pkgs, ... }:
|
|
|
|
{
|
|
# Use nftables as the firewall backend
|
|
networking.nftables.enable = true;
|
|
|
|
networking.firewall = {
|
|
enable = true;
|
|
|
|
# LAN-only ports — Wi-Fi interface
|
|
interfaces."wlan0" = {
|
|
allowedTCPPorts = [
|
|
631 # CUPS / IPP network printing
|
|
9100 # AppSocket/JetDirect printing
|
|
6566 # SANE network scanner
|
|
57621 # Spotify Connect
|
|
57622 # Spotify local file sync
|
|
];
|
|
allowedTCPPortRanges = [
|
|
{ from = 1714; to = 1764; } # KDE Connect
|
|
];
|
|
allowedUDPPorts = [
|
|
5353 # mDNS / Avahi (printer + device discovery)
|
|
631 # CUPS / IPP
|
|
67 # DHCP
|
|
123 # NTP time sync
|
|
1900 # UPnP device discovery
|
|
57621 # Spotify Connect
|
|
];
|
|
allowedUDPPortRanges = [
|
|
{ from = 1714; to = 1764; } # KDE Connect
|
|
];
|
|
};
|
|
|
|
# LAN-only ports — ethernet (ready for when you plug in)
|
|
interfaces."enp0s31f6" = {
|
|
allowedTCPPorts = [
|
|
631 # CUPS / IPP network printing
|
|
9100 # AppSocket/JetDirect printing
|
|
6566 # SANE network scanner
|
|
57621 # Spotify Connect
|
|
57622 # Spotify local file sync
|
|
];
|
|
allowedTCPPortRanges = [
|
|
{ from = 1714; to = 1764; } # KDE Connect
|
|
];
|
|
allowedUDPPorts = [
|
|
5353 # mDNS / Avahi (printer + device discovery)
|
|
631 # CUPS / IPP
|
|
67 # DHCP
|
|
123 # NTP time sync
|
|
1900 # UPnP device discovery
|
|
57621 # Spotify Connect
|
|
];
|
|
allowedUDPPortRanges = [
|
|
{ from = 1714; to = 1764; } # KDE Connect
|
|
];
|
|
};
|
|
};
|
|
|
|
# Firewall management tools
|
|
environment.systemPackages = with pkgs; [
|
|
nixos-firewall-tool # CLI: sudo nixos-firewall-tool open tcp 8080
|
|
firewall-config # GUI: graphical firewall manager (Wayland-compatible)
|
|
];
|
|
services.firewalld.enable = true;
|
|
}
|