Insecure openFirewall

[RafaelKr]

With the current openFirewall configuration Port 6556 is opened for everyone. So you can call telnet <IP> 6556 from any other device to see all Monitoring information.

I used the following configuration (for nftables) instead:

{
  config,
  pkgs,
  check_mk_agent,
  ...
}:
let
  cfg = config.services.check_mk_agent;
  monitoringServerIp = "123.123.123.123";
in
{
  imports = [ check_mk_agent.nixosModules.check_mk_agent ];

  config = {
    services.check_mk_agent = {
      enable = true;
      bind = "0.0.0.0";
      openFirewall = false;
      package = pkgs.check_mk_agent.override { enablePluginSmart = true; };
    };

    networking.firewall.extraInputRules = ''
      ip saddr ${monitoringServerIp} tcp dport ${toString cfg.port} accept
    '';
  };
}

[BenediktSeidl]

I thought this was the default for all "official" nixos configuration. I just picked some random examples from search.nixos.org

• https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/web-apps/silverbullet.nix
  seems to have only a very basic configuration
• https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/monitoring/prometheus/exporters.nix
  seems to have a advanced firewall configuration via firewallFilter and firewallRules options, but those seems to be only used by services.promethues.exporters.*
• https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/misc/mediatomb.nix
  simple
• https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/web-apps/gotosocial.nix
  simple
• https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/misc/bazarr.nix
  simple
• https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/web-apps/suwayomi-server.nix simple

This seems to confirm my gut feeling: If you just want to open the firewall to everyone you can use that option, otherwise you have to configure your firewall on your own. I think this makes sense, because the flake author can not know whether the system uses iptables, nftables or other higher level firewall systems.

I too have special firewall configuration in my setup via networking.firewall.extraCommands.

Do you have an example of other modules or flakes that have a more advanced firewall configuration option?