Skip to content

nixos/firewalld: init #398587

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mkg20001 merged 10 commits into from
Nov 20, 2025
Merged

nixos/firewalld: init #398587

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
cb28578
nixos/firewalld: init
Prince213 Apr 14, 2025
87882c1
nixos/firewall: add firewalld backend
Prince213 Apr 15, 2025
3a7a4fb
nixos/podman: don't open ports for firewalld
Prince213 Sep 20, 2025
3160f3b
nixos/netbird: use firewalld zone
Prince213 Sep 20, 2025
2051b59
nixos/tests/firewall: add firewalld backend
Prince213 Apr 15, 2025
9ca60db
nixos/tests/firewalld: init
Prince213 Apr 15, 2025
bd3e75b
nixos/kodi: add firewalld files
Prince213 Apr 14, 2025
1f6f021
nixos/libvirtd: add firewalld files
Prince213 Apr 14, 2025
14105a5
nixos/wivrn: add firewalld files
Prince213 Apr 14, 2025
6f2b594
nixos/doc/rl-25.11: add firewalld
Prince213 Jul 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions nixos/doc/manual/release-notes/rl-2511.section.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@

Refer to the [GNOME release notes](https://release.gnome.org/49/) for more details.

- FirewallD support has been added. It can be configured both as a standalone service (through `services.firewalld`), and as a backend to the existing `networking.firewall` options.

- `networking.firewall` now has a `backend` option for choosing which backend to use.

## New Modules {#sec-release-25.11-new-modules}

<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
Expand All @@ -53,6 +57,8 @@

- [umami](https://github.com/umami-software/umami), a simple, fast, privacy-focused alternative to Google Analytics. Available with [services.umami](#opt-services.umami.enable).

- [FirewallD](https://firewalld.org/), a firewall daemon with D-Bus interface providing a dynamic firewall. Available as [services.firewalld](#opt-services.firewalld.enable) and a [networking.firewall.backend](#opt-networking.firewall.backend).

- [FileBrowser](https://filebrowser.org/), a web application for managing and sharing files. Available as [services.filebrowser](#opt-services.filebrowser.enable).

- Options under [networking.getaddrinfo](#opt-networking.getaddrinfo.enable) are now allowed to declaratively configure address selection and sorting behavior of `getaddrinfo` in dual-stack networks.
Expand Down
2 changes: 2 additions & 0 deletions nixos/modules/module-list.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1162,9 +1162,11 @@
./services/networking/ferm.nix
./services/networking/firefox-syncserver.nix
./services/networking/fireqos.nix
./services/networking/firewall-firewalld.nix
./services/networking/firewall-iptables.nix
./services/networking/firewall-nftables.nix
./services/networking/firewall.nix
./services/networking/firewalld
./services/networking/firezone/gateway.nix
./services/networking/firezone/gui-client.nix
./services/networking/firezone/headless-client.nix
Expand Down
61 changes: 61 additions & 0 deletions nixos/modules/services/networking/firewall-firewalld.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
{ config, lib, ... }:

let
cfg = config.networking.firewall;
in
{
config = lib.mkIf (cfg.enable && cfg.backend == "firewalld") {
assertions = [
{
assertion = cfg.interfaces == { };
message = ''
Per interface configurations is not supported with the firewalld based firewall.
Create zones with `services.firewalld.zones` instead.
'';
}
];

boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" =
if cfg.checkReversePath == false then
0
else if cfg.checkReversePath == "loose" then
1
else
2;

services.firewalld = {
settings = {
DefaultZone = lib.mkDefault "nixos-fw-default";
LogDenied =
if cfg.logRefusedConnections then
(if cfg.logRefusedUnicastsOnly then "unicast" else "all")
else
"off";
IPv6_rpfilter =
if cfg.checkReversePath == false then
"no"
else
let
mode = if cfg.checkReversePath == true then "strict" else cfg.checkReversePath;
suffix = if cfg.filterForward then "" else "-forward";
in
"${mode}${suffix}";
};
zones = {
nixos-fw-default = {
target = if cfg.rejectPackets then "%%REJECT%%" else "DROP";
icmpBlockInversion = true;
icmpBlocks = lib.mkIf cfg.allowPing [ "echo-request" ];
ports =
let
f = protocol: port: { inherit protocol port; };
tcpPorts = map (f "tcp") (cfg.allowedTCPPorts ++ cfg.allowedTCPPortRanges);
udpPorts = map (f "udp") (cfg.allowedUDPPorts ++ cfg.allowedUDPPortRanges);
in
tcpPorts ++ udpPorts;
};
trusted.interfaces = cfg.trustedInterfaces;
};
};
};
}
10 changes: 3 additions & 7 deletions nixos/modules/services/networking/firewall-iptables.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -285,9 +285,7 @@ let
in

{

options = {

networking.firewall = {
extraCommands = lib.mkOption {
type = lib.types.lines;
Expand Down Expand Up @@ -317,13 +315,11 @@ in
'';
};
};

};

# FIXME: Maybe if `enable' is false, the firewall should still be
# built but not started by default?
config = lib.mkIf (cfg.enable && config.networking.nftables.enable == false) {

config = lib.mkIf (cfg.enable && cfg.backend == "iptables") {
assertions = [
# This is approximately "checkReversePath -> kernelHasRPFilter",
# but the checkReversePath option can include non-boolean
Expand All @@ -336,6 +332,8 @@ in

networking.firewall.checkReversePath = lib.mkIf (!kernelHasRPFilter) (lib.mkDefault false);

environment.systemPackages = [ pkgs.nixos-firewall-tool ];

systemd.services.firewall = {
description = "Firewall";
wantedBy = [ "sysinit.target" ];
Expand Down Expand Up @@ -365,7 +363,5 @@ in
ExecStop = "@${stopScript} firewall-stop";
};
};

};

}
10 changes: 3 additions & 7 deletions nixos/modules/services/networking/firewall-nftables.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,7 @@ let
in

{

options = {

networking.firewall = {
extraInputRules = lib.mkOption {
type = lib.types.lines;
Expand Down Expand Up @@ -59,11 +57,9 @@ in
'';
};
};

};

config = lib.mkIf (cfg.enable && config.networking.nftables.enable) {

config = lib.mkIf (cfg.enable && cfg.backend == "nftables") {
assertions = [
{
assertion = cfg.extraCommands == "";
Expand All @@ -83,6 +79,8 @@ in
}
];

environment.systemPackages = [ pkgs.nixos-firewall-tool ];

networking.nftables.tables."nixos-fw".family = "inet";
networking.nftables.tables."nixos-fw".content = ''
set temp-ports {
Expand Down Expand Up @@ -203,7 +201,5 @@ in
}
''}
'';

};

}
38 changes: 27 additions & 11 deletions nixos/modules/services/networking/firewall.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,9 +68,7 @@ let
in

{

options = {

networking.firewall = {
enable = lib.mkOption {
type = lib.types.bool;
Expand All @@ -82,6 +80,32 @@ in
'';
};

backend = lib.mkOption {
type = lib.types.enum [
"iptables"
"nftables"
"firewalld"
];
default =
if config.services.firewalld.enable then
"firewalld"
else if config.networking.nftables.enable then
"nftables"
else
"iptables";
defaultText = lib.literalExpression ''
if config.services.firewalld.enable then
"firewalld"
else if config.networking.nftables.enable then
"nftables"
else
"iptables"
'';
description = ''
Underlying implementation for the firewall service.
'';
};

package = lib.mkOption {
type = lib.types.package;
default = if config.networking.nftables.enable then pkgs.nftables else pkgs.iptables;
Expand Down Expand Up @@ -292,11 +316,9 @@ in
};
}
// commonOptions;

};

config = lib.mkIf cfg.enable {

assertions = [
{
assertion = cfg.filterForward -> config.networking.nftables.enable;
Expand All @@ -311,19 +333,13 @@ in

networking.firewall.trustedInterfaces = [ "lo" ];

environment.systemPackages = [
cfg.package
pkgs.nixos-firewall-tool
]
++ cfg.extraPackages;
environment.systemPackages = [ cfg.package ] ++ cfg.extraPackages;

boot.kernelModules =
(lib.optional cfg.autoLoadConntrackHelpers "nf_conntrack")
++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;
boot.extraModprobeConfig = lib.optionalString cfg.autoLoadConntrackHelpers ''
options nf_conntrack nf_conntrack_helper=1
'';

};

}
66 changes: 66 additions & 0 deletions nixos/modules/services/networking/firewalld/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
{
config,
lib,
pkgs,
...
}:

let
cfg = config.services.firewalld;
paths = pkgs.buildEnv {
name = "firewalld-paths";
paths = cfg.packages;
pathsToLink = [ "/lib/firewalld" ];
};
in
{
imports = [
./service.nix
./settings.nix
./zone.nix
];

options.services.firewalld = {
enable = lib.mkEnableOption "FirewallD";
package = lib.mkPackageOption pkgs "firewalld" { };
packages = lib.mkOption {
type = lib.types.listOf lib.types.package;
default = [ ];
description = ''
Packages providing firewalld zones and other files.
Files found in `/lib/firewalld` will be included.
'';
};
extraArgs = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = [ "--debug" ];
description = "Extra arguments to pass to FirewallD.";
};
};

config = lib.mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
services.dbus.packages = [ cfg.package ];
services.firewalld.packages = [ cfg.package ];

services.logrotate.settings."/var/log/firewalld" = {
copytruncate = true;
minsize = "1M";
};

environment.etc."sysconfig/firewalld".text = ''
FIREWALLD_ARGS=${lib.concatStringsSep " " cfg.extraArgs}
'';

systemd.packages = [ cfg.package ];
systemd.services.firewalld = {
aliases = [ "dbus-org.fedoraproject.FirewallD1.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -HUP $MAINPID";
environment.NIX_FIREWALLD_CONFIG_PATH = "${paths}/lib/firewalld";
};
};

meta.maintainers = with lib.maintainers; [ prince213 ];
}
55 changes: 55 additions & 0 deletions nixos/modules/services/networking/firewalld/lib.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
{ lib }:

let
inherit (lib) mkOption;
inherit (lib.types)
either
enum
nullOr
port
submodule
;
mkPortOption =
{
optional ? false,
}:
mkOption {
type =
let
type = either port (submodule {
options = {
from = mkOption { type = port; };
to = mkOption { type = port; };
};
});
in
if optional then (nullOr type) else type;
description = "";
apply =
value: if builtins.isAttrs value then "${toString value.from}-${toString value.to}" else value;
};
protocolOption = mkOption {
type = enum [
"tcp"
"udp"
"sctp"
"dccp"
];
description = "";
};
in
{
inherit mkPortOption;
inherit protocolOption;

toXmlAttrs = lib.mapAttrs' (name: lib.nameValuePair ("@" + name));
mkXmlAttr = name: value: { "@${name}" = value; };
filterNullAttrs = lib.filterAttrsRecursive (_: value: value != null);

portProtocolOptions = {
options = {
port = mkPortOption { };
protocol = protocolOption;
};
};
}
Loading
Loading