09:28 <BlessJah> does nixos have any firewall features (router-firewall, e.g. allowing or disallowing forwarding)

11:52 <makefu> BlessJah: yes there are a couple of *primitive* firewall features: https://nixos.org/nixos/options.html#networking.firewall

11:53 <makefu> for everything else there is networking.firewall.extraCommands where you can put your own iptables commands

11:54 <makefu> enabling forwarding can be done via boot.kernel.sysctl."net.ipv4.ip_forward" = 1;

11:55 <makefu> however this of course is not nearly as much as other open-source routers such as pfsense, ipfire or even openwrt

13:15 <BlessJah> and VyOS

13:16 <BlessJah> networking.firewall seems to be mostly concernet about anyone-to-localhost traffic, not intranet-to-internet

16:48 <cransom> correct. there are no existing mechanisms for things in the forwarding table

16:49 <cransom> but that doesn't stop you from using something like firehol or revamping with nftables. but there's no integration there with the config system

16:55 <gchristensen> yeah that isn'nt ideal

17:01 <cransom> it is not awesome, no.

17:02 <cransom> i wonder how archaic it would be to bolt firehol into the current firewall module.

17:05 <makefu> cransom: however there may exist some module framework which abstracts firewalling. for example tv and lassulus have built their own firewall modularization at https://git.shackspace.de/krebs/stockholm/blob/master/krebs/3modules/iptables.nix . here is how container ip forwarding looks like https://git.shackspace.de/krebs/stockholm/blob/master/lass/2configs/container-networking.nix#L10

17:06 <cransom> i keep having an itch to do that but then i keep thinking about things that modify the firewall at runtime, like docker/miniupnpd/fail2ban/etc and i go a little cross eyed

17:13 <cransom> but hrm. maybe i'll try that. duplicating existing functionality is a fairly low bar.

19:43 <BlessJah> yep, I've disabled docker and still had docker rules in iptables after rebuild