I’m interested in declaring a nftable in my config. I can see there is a default ruleset in the documentation %default-nftables-ruleset, however, it keeps the ssh port open which isn’t something I need on my desktop setup. What would be the best way to go about modifying this ruleset or declaring a custom one?
I’m relatively new to Guix and Scheme so any pointers would be much appreciated
This is what I’ve got.
(service nftables-service-type
(nftables-configuration
(ruleset (plain-file "nftables.conf"
"\
# A simple and safe firewall (based on %default-nftables-ruleset)
define pub_iface = \"enp11s0\"
define wg_iface = \"wg0\"
define wg_port = 51820
define ssh_port = 22
define guix_publish_port = 8080
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# early drop of invalid connections
ct state invalid drop
# allow established/related connections
ct state { established, related } accept
# allow from loopback
iif lo accept
# drop connections to lo not coming from lo
iif != lo ip daddr 127.0.0.1/8 drop
iif != lo ip6 daddr ::1/128 drop
# allow icmp
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
# allow ssh
tcp dport $ssh_port accept
# allow guix publish
tcp dport $guix_publish_port accept
# allow wireguard port
udp dport $wg_port accept
# reject everything else
reject with icmpx type port-unreachable
}
chain output {
type filter hook output priority 0; policy accept;
}
}
"))))
Awesome, thanks a lot. I’ll use that for my config but with
tcp dport $ssh_port accept
commented out and a few tweaks 
Nice, thanks for the example!
What are people’s thoughts on nftables vs iptables? Looks like the syntax for nftables may be a little more expressive, are there other reasons why it’s a better choice?
By the way, welcome to the community @heq and @Themightyox!