What's the best way to setup a firewall in Guix?

Themightyox · March 10, 2025, 12:23pm

I’m interested in declaring a nftable in my config. I can see there is a default ruleset in the documentation %default-nftables-ruleset, however, it keeps the ssh port open which isn’t something I need on my desktop setup. What would be the best way to go about modifying this ruleset or declaring a custom one?

I’m relatively new to Guix and Scheme so any pointers would be much appreciated

heq · March 10, 2025, 1:14pm

This is what I’ve got.

            (service nftables-service-type
                     (nftables-configuration
                      (ruleset (plain-file "nftables.conf"
                                           "\
# A simple and safe firewall (based on %default-nftables-ruleset)
define pub_iface = \"enp11s0\"
define wg_iface = \"wg0\"
define wg_port = 51820
define ssh_port = 22
define guix_publish_port = 8080

table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;

    # early drop of invalid connections
    ct state invalid drop

    # allow established/related connections
    ct state { established, related } accept

    # allow from loopback
    iif lo accept
    # drop connections to lo not coming from lo
    iif != lo ip daddr 127.0.0.1/8 drop
    iif != lo ip6 daddr ::1/128 drop

    # allow icmp
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept

    # allow ssh
    tcp dport $ssh_port accept

    # allow guix publish
    tcp dport $guix_publish_port accept

    # allow wireguard port
    udp dport $wg_port accept

    # reject everything else
    reject with icmpx type port-unreachable
  }
  chain output {
    type filter hook output priority 0; policy accept;
  }
}
"))))

Themightyox · March 10, 2025, 2:02pm

Awesome, thanks a lot. I’ll use that for my config but with

tcp dport $ssh_port accept

commented out and a few tweaks

daviwil · March 12, 2025, 12:17pm

Nice, thanks for the example!

What are people’s thoughts on nftables vs iptables? Looks like the syntax for nftables may be a little more expressive, are there other reasons why it’s a better choice?

daviwil · March 12, 2025, 12:17pm

By the way, welcome to the community @heq and @Themightyox!

Themightyox · March 18, 2025, 1:12pm

Thank you. Seems like you’ve made a lovely community here !

As to iptables and nftables. I believe they’re largely identical beyond that. Though certain applications like Docker still don’t play well with nftables—they are in the process of upgrading, however.

tinhead · March 25, 2025, 5:06pm

Hi,

I know this is solved but if you would like you could have a look here for a more declarative approach: th-guix-channel/th/services/firehol.scm at main · TinHead/th-guix-channel · GitHub

Cheers,
TH

Topic		Replies	Views
Wireguard does not work on guix Guix	10	214	December 19, 2024
My Adventures in Guix - Part 1(Home serving it up!) General	0	137	March 13, 2025
NB: Organizing a basic system config Guix guile , guix	2	128	February 26, 2025
Guix + StumpWM Setup Guix guile , lisp , emacs , guix	20	1444	February 11, 2025
How to access a service's generated configuration Guix	1	127	June 13, 2024

What's the best way to setup a firewall in Guix?

Related topics