Configuring a NixOS firewall for everyday use

 

 Introduction

In today's digital age, securing your computer system is more important than ever. One of the foundational steps in this process is configuring a firewall. Firewalls act as the gatekeepers between your computer and the vast internet, controlling which traffic can pass through. If you're using NixOS, a unique Linux distribution known for its declarative configuration, setting up a firewall can be done efficiently and with precision. In this post, we'll walk through a simple yet effective firewall configuration using iptables on NixOS.

The Firewall Configuration

Below is a snippet of a NixOS configuration that enables and configures a firewall using iptables, a powerful and flexible firewall utility.

Šiame blogo įraše aptariame, kaip sukonfigūruoti ugniasienę NixOS operacinėje sistemoje naudojant iptables. Ugniasienė leidžia apsaugoti kompiuterį kontroliuojant srautą tarp jūsų sistemos ir interneto. Pateikėme konfigūracijos pavyzdį, kuriame atveriami tik būtini TCP ir UDP prievadai, reikalingi saugiam naršymui internete, failų sinchronizacijai ir komunikacijos įrankiams. Naudodami iptables, galite preciziškai valdyti ugniasienės taisykles ir užtikrinti aukštą saugumo lygį.

{ config, pkgs, ... }:

{
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [
      443  # HTTPS for Firefox and other secure web services
      21   # FTP control port for Filezilla
      22   # SSH for secure file transfer with Filezilla
      465  # SMTP for sending email
      993  # IMAP for email retrieval
      995  # POP3 for email retrieval
      22000 # Syncthing default port
    ];
    allowedUDPPorts = [
      21027 # Syncthing default discovery port
      3478 3479 3480 3481 # Zoom, Teams, Skype ports
    ];
    # Use iptables instead of firewalld
    package = pkgs.iptables;
  };
}

Understanding the Configuration

• Enable the Firewall: The enable = true; line turns on the firewall, ensuring that only permitted traffic can access your system.

• Allowed TCP Ports: The allowedTCPPorts list specifies which TCP ports are allowed through the firewall. Each port serves a specific purpose:

  • 443: HTTPS for secure web browsing.
  • 21: FTP control port, useful for applications like Filezilla.
  • 22: SSH, crucial for secure remote connections and file transfers.
  • 465, 993, 995: Ports related to email services like SMTP, IMAP, and POP3.
  • 22000: Syncthing’s default port, allowing secure file synchronization across devices.

• Allowed UDP Ports: Similarly, allowedUDPPorts lists the allowed UDP ports. These are primarily for communication protocols that require fast data transfer, such as:

  • 21027: Syncthing's discovery port.
  • 3478-3481: Ports used by communication tools like Zoom, Teams, and Skype.

• Using iptables: The configuration specifies the use of iptables over firewalld. While firewalld is easier to manage with its dynamic rule management, iptables offers more granular control, making it a preferred choice for users who need precise configuration.

Why This Approach?

• Simplicity: This configuration is straightforward, listing only the necessary ports. It's easy to maintain and modify as your needs change.

• Security: By only opening specific ports, you minimize the attack surface on your system. Unused ports are closed off, reducing potential vulnerabilities.

• Flexibility: Using iptables gives you the power to fine-tune your firewall rules beyond the basic setup, should you need more advanced configurations.

Conclusion

Configuring a firewall on NixOS with iptables offers a balance of security, simplicity, and control. This setup is tailored for a typical user's needs, covering essential services like web browsing, email, and secure file transfers. As with any security measure, regular reviews and updates of your firewall rules are recommended to ensure ongoing protection.