all repos — nixfiles @ 8d1dfe0927fa3815d87700df6087f159f002fe36

System and user configuration, managed by nix and home-manager

prefect: switch to nftables-based firewall
Alan Pearce alan@alanpearce.eu
Sun, 23 Apr 2023 11:28:53 +0200
commit

8d1dfe0927fa3815d87700df6087f159f002fe36

parent

232505d511747ba32e4143ecf673634a5317db81

1 files changed, 11 insertions(+), 4 deletions(-)

jump to
M system/prefect.nixsystem/prefect.nix
@@ -123,10 +123,17 @@ enable = true;     openFirewall = false;
     startWhenNeeded = true;
   };
-  networking.firewall.extraCommands = ''
-    iptables  -A nixos-fw -p udp --source 172.30.42.0/24       -j nixos-fw-accept
-    iptables  -A nixos-fw -p tcp --source 172.30.42.0/24       -j nixos-fw-accept
-  '';
+
+  networking.nftables = {
+    enable = true;
+  };
+  networking.firewall = {
+    allowedTCPPorts = [ 80 443 139 445 1024 ];
+    extraInputRules = ''
+      ip saddr 172.30.42.0/24 accept
+      ip6 saddr { fd00::/8, fe80::/10 } accept
+    '';
+  };
 
   hardware.firmware = with pkgs; [
     linux-firmware # for iwlwifi