Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
nixos/sshd: disable openFirewall by default #75454
Motivation for this change
Opening SSH port on firewall by default is a security risk and it should be blocked.
I'm concerned about this because some NixOS systems may be unknowingly relying on the default setting (true) to open the SSH port on the firewall. Personally, I didn't even know this option existed.
What about removing the default setting altogether. Wouldn't that cause a build-time failure, forcing the system admin to explicitly set it to true or false?
In addition, given the change is not backwards compatible, I think it should be documented in the release notes.
Consensus up to now was that sshd was the only exception allowed to open a firewall port automatically.
If we were to disable that, I'm sure we would receive another PR to re-enable it pretty quickly.
Instead, maybe there is some doc to enhance to emphasize that the first things a concerned admin should do after a NixOS install is to look at and review the sshd config.
Understandable. But I'd rather vote for adding either a warning (if only the default value is set) or to mention this in the manual at a more "prominent" position.
Full ack! I already found several corner cases that caused me to lock myself out of a remote NixOS. By disabling an open
In case there are more folks in favor of dropping that default, I'd be fine with this solution.