thelegy
commented
1 year ago Thanks for the hint. As the implementation was based on the file in nixpkgs that was changed by the PR you referenced, it makes sense to also replicate the changes in this repository.
In fact it only is replicated in this repository as I added the stopRuleset that is executed when the systemd unit is stopped or fails. I think it is a good addition, as firewalls can be more robust that way and wont fail-open. It might be the part of this repository that could even be included in upstream nixpkgs. But until it is I will replicate those changes in this repository.
For tailscale I might have an additional hint. I never liked the idea of it messing with my finely crafted firewall rules. You can actiually tell it not to bother. I have a custum tailscale module that aims to lock down tailscale much more at the expense of some features of it not working properly like tailscale-ssh and exit nodes, which I never use. Maybe that is of interest to you: https://github.com/thelegy/yaner/blob/main/modules/tailscale.nix
antifuchs
I'm trying the zoned nixos-nftables-firewall for the first time & love the ways it lets me express stuff! Unfortunately, I'm running into the same issue as was fixed in NixOS/nixpkgs#121517: When I try to start the nftables firewall after tailscale (which installs iptables-nft rules via the nftables compatibility layer) has been loaded, you get the following error:
I think the fix from the PR linked above would be appropriate for this flake, as well: Remove the warning, as iptables and nft can now work together.
What do you think?