18:48 <BlessJah> disasm: maybe you'd know: I'm trying to get firewall-like rules where I could decide which subnets are allowed to access which ports

18:49 <BlessJah> more generic than networking.firewall.allowedTCPPorts

18:50 <BlessJah> nftables may be the way to go, but so far I've never used the tool

18:55 <disasm> BlessJah: use the `-s 10.40.33.20/24` parameter to the rule. There's no built-in nix way to do it, would require some special hacking.

18:57 <BlessJah> the rule? like when adding one manually or modifying one that nix created?

18:58 <cransom> if you are allowing, you' dhave to remove the nix rule and add your own

19:02 <cransom> if you are looking to be more specific than allowing all traffic to a port, there's no piece of the firewall module you can really use other than adding in iptables for the specific port and sources you want and removing them from allowedXXXPorts.

19:03 <BlessJah> or doing it with nftables?

19:03 <cransom> or nftables. there's nothing built in to the modules for any of nftables though.

19:04 <BlessJah> https://nixos.org/nixos/options.html#nftables

19:05 <BlessJah> there is, enable and string with rulesets

19:05 <BlessJah> project claims that syntax is friendlier

19:06 <cransom> yes, you'd end up writing all of the rule set. which may be fine, it just doesn't cooperate with anything that thinks iptables exists.

19:13 <BlessJah> yep, including docker and libvirt

19:15 <cransom> and fail2ban/et al. i'd like to check out nftables but haven't had the time nor project for it.

19:15 <cransom> https://github.com/NixOS/nixpkgs/issues/23181#issuecomment-312437442 may be an option for you