diff options
| author | Alan Pearce | 2023-04-23 11:28:53 +0200 |
|---|---|---|
| committer | Alan Pearce | 2023-04-23 11:29:49 +0200 |
| commit | 8d1dfe0927fa3815d87700df6087f159f002fe36 (patch) | |
| tree | 4cdcf52522db024eab5339b9d3429c2aef03acf9 | |
| parent | 232505d511747ba32e4143ecf673634a5317db81 (diff) | |
| download | nixfiles-8d1dfe0927fa3815d87700df6087f159f002fe36.tar.lz nixfiles-8d1dfe0927fa3815d87700df6087f159f002fe36.tar.zst nixfiles-8d1dfe0927fa3815d87700df6087f159f002fe36.zip | |
prefect: switch to nftables-based firewall
| -rw-r--r-- | system/prefect.nix | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/system/prefect.nix b/system/prefect.nix index c4990e20..e5ebac22 100644 --- a/system/prefect.nix +++ b/system/prefect.nix @@ -123,10 +123,17 @@ openFirewall = false; startWhenNeeded = true; }; - networking.firewall.extraCommands = '' - iptables -A nixos-fw -p udp --source 172.30.42.0/24 -j nixos-fw-accept - iptables -A nixos-fw -p tcp --source 172.30.42.0/24 -j nixos-fw-accept - ''; + + networking.nftables = { + enable = true; + }; + networking.firewall = { + allowedTCPPorts = [ 80 443 139 445 1024 ]; + extraInputRules = '' + ip saddr 172.30.42.0/24 accept + ip6 saddr { fd00::/8, fe80::/10 } accept + ''; + }; hardware.firmware = with pkgs; [ linux-firmware # for iwlwifi |