nftables: use networking.firewall.allowed{TCP,UDP}Port{s,Ranges}

This is a no-op as far as actual config is concerned, but allows using
the usual networking options again, which before this commit were just
old unused code lying around.

There are still many other networking options which we set that
currently do nothing (e.g. the network bridge to lxc).
This commit is contained in:
stuebinm 2024-04-06 14:55:48 +02:00
parent 283aba0c2c
commit f389de9c55

View file

@ -1,5 +1,13 @@
{ config, lib, pkgs, ... }:
let
cfg = config.networking.firewall;
mkPorts = ports: ranges:
lib.strings.concatStringsSep ", "
(map ({from, to}: "${toString from}-${toString to}") ranges
++
map toString ports);
in
{
networking.firewall.enable = false;
networking.nat.enable = false;
@ -39,9 +47,9 @@
iifname { lo } accept
tcp dport { 25, 80, 443, 465, 587, 993, 4190, 62954, 64738 } accept
tcp dport { ${mkPorts cfg.allowedTCPPorts cfg.allowedTCPPortRanges} } accept
udp dport { 60000-61000, 64738 } accept
udp dport { ${mkPorts cfg.allowedUDPPorts cfg.allowedUDPPortRanges} } accept
# DHCPv6
ip6 daddr fe80::/64 udp dport 546 accept