diff options
Diffstat (limited to 'nixos/doc/manual/configuration/firewall.xml')
-rw-r--r-- | nixos/doc/manual/configuration/firewall.xml | 56 |
1 files changed, 32 insertions, 24 deletions
diff --git a/nixos/doc/manual/configuration/firewall.xml b/nixos/doc/manual/configuration/firewall.xml index 87406c28c2f7..b66adcedce6e 100644 --- a/nixos/doc/manual/configuration/firewall.xml +++ b/nixos/doc/manual/configuration/firewall.xml @@ -3,36 +3,44 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-firewall"> + <title>Firewall</title> -<title>Firewall</title> - -<para>NixOS has a simple stateful firewall that blocks incoming -connections and other unexpected packets. The firewall applies to -both IPv4 and IPv6 traffic. It is enabled by default. It can be -disabled as follows: - + <para> + NixOS has a simple stateful firewall that blocks incoming connections and + other unexpected packets. The firewall applies to both IPv4 and IPv6 traffic. + It is enabled by default. It can be disabled as follows: <programlisting> -networking.firewall.enable = false; +<xref linkend="opt-networking.firewall.enable"/> = false; </programlisting> - -If the firewall is enabled, you can open specific TCP ports to the -outside world: - + If the firewall is enabled, you can open specific TCP ports to the outside + world: <programlisting> -networking.firewall.allowedTCPPorts = [ 80 443 ]; +<xref linkend="opt-networking.firewall.allowedTCPPorts"/> = [ 80 443 ]; </programlisting> - -Note that TCP port 22 (ssh) is opened automatically if the SSH daemon -is enabled (<option>services.openssh.enable = true</option>). UDP -ports can be opened through -<option>networking.firewall.allowedUDPPorts</option>. Also of -interest is - + Note that TCP port 22 (ssh) is opened automatically if the SSH daemon is + enabled (<option><xref linkend="opt-services.openssh.enable"/> = + true</option>). UDP ports can be opened through + <xref linkend="opt-networking.firewall.allowedUDPPorts"/>. + </para> + + <para> + To open ranges of TCP ports: <programlisting> -networking.firewall.allowPing = true; +<xref linkend="opt-networking.firewall.allowedTCPPortRanges"/> = [ + { from = 4000; to = 4007; } + { from = 8000; to = 8010; } +]; </programlisting> + Similarly, UDP port ranges can be opened through + <xref linkend="opt-networking.firewall.allowedUDPPortRanges"/>. + </para> -to allow the machine to respond to ping requests. (ICMPv6 pings are -always allowed.)</para> - + <para> + Also of interest is +<programlisting> +<xref linkend="opt-networking.firewall.allowPing"/> = true; +</programlisting> + to allow the machine to respond to ping requests. (ICMPv6 pings are always + allowed.) + </para> </section> |