From a4ecab1763b74df0fe68bbe15223bee61e4c6651 Mon Sep 17 00:00:00 2001
From: Ryan Cao <70191398+ryanccn@users.noreply.github.com>
Date: Thu, 23 Oct 2025 09:54:49 +0100
Subject: [PATCH] networking: modify firewall settings only if explicitly set

---
 modules/networking/applicationFirewall.nix | 51 ++++++++++++++++------
 release.nix                                |  1 +
 tests/networking-firewall.nix              | 17 ++++++++
 3 files changed, 56 insertions(+), 13 deletions(-)
 create mode 100644 tests/networking-firewall.nix

diff --git a/modules/networking/applicationFirewall.nix b/modules/networking/applicationFirewall.nix
index fc23121..2bab9b3 100644
--- a/modules/networking/applicationFirewall.nix
+++ b/modules/networking/applicationFirewall.nix
@@ -13,6 +13,7 @@ in
 {
   meta.maintainers = [
     (lib.maintainers.prince213 or "prince213")
+    (lib.maintainers.ryanccn or "ryanccn")
   ];
 
   options.networking.applicationFirewall = {
@@ -22,16 +23,34 @@ in
       example = true;
       description = "Whether to enable application firewall.";
     };
-    blockAllIncoming = lib.mkEnableOption "blocking all incoming connections";
-    allowSigned = lib.mkEnableOption "built-in software to receive incoming connections" // {
-      default = true;
+
+    blockAllIncoming = lib.mkOption {
+      type = lib.types.nullOr lib.types.bool;
+      default = null;
+      example = true;
+      description = "Whether to block all incoming connections.";
+    };
+
+    allowSigned = lib.mkOption {
+      type = lib.types.nullOr lib.types.bool;
+      default = null;
+      example = true;
+      description = "Whether to allow built-in software to receive incoming connections.";
+    };
+
+    allowSignedApp = lib.mkOption {
+      type = lib.types.nullOr lib.types.bool;
+      default = null;
+      example = true;
+      description = "Whether to allow downloaded signed software to receive incoming connections.";
+    };
+
+    enableStealthMode = lib.mkOption {
+      type = lib.types.nullOr lib.types.bool;
+      default = null;
+      example = true;
+      description = "Whether to enable stealth mode.";
     };
-    allowSignedApp =
-      lib.mkEnableOption "downloaded signed software to receive incoming connections"
-      // {
-        default = true;
-      };
-    enableStealthMode = lib.mkEnableOption "stealth mode";
   };
 
   config = {
@@ -39,10 +58,16 @@ in
       echo "configuring application firewall..." >&2
 
       ${lib.optionalString (cfg.enable != null) (socketfilterfw "setglobalstate" cfg.enable)}
-      ${lib.optionalString (cfg.enable == true) (socketfilterfw "setblockall" cfg.blockAllIncoming)}
-      ${socketfilterfw "setallowsigned" cfg.allowSigned}
-      ${socketfilterfw "setallowsignedapp" cfg.allowSignedApp}
-      ${socketfilterfw "setstealthmode" cfg.enableStealthMode}
+      ${lib.optionalString (cfg.blockAllIncoming != null) (
+        socketfilterfw "setblockall" cfg.blockAllIncoming
+      )}
+      ${lib.optionalString (cfg.allowSigned != null) (socketfilterfw "setallowsigned" cfg.allowSigned)}
+      ${lib.optionalString (cfg.allowSignedApp != null) (
+        socketfilterfw "setallowsignedapp" cfg.allowSignedApp
+      )}
+      ${lib.optionalString (cfg.enableStealthMode != null) (
+        socketfilterfw "setstealthmode" cfg.enableStealthMode
+      )}
     '';
   };
 }
diff --git a/release.nix b/release.nix
index 548c04d..410b099 100644
--- a/release.nix
+++ b/release.nix
@@ -85,6 +85,7 @@ in {
   tests.homebrew = makeTest ./tests/homebrew.nix;
   tests.launchd-daemons = makeTest ./tests/launchd-daemons.nix;
   tests.launchd-setenv = makeTest ./tests/launchd-setenv.nix;
+  tests.networking-firewall = makeTest ./tests/networking-firewall.nix;
   tests.networking-hostname = makeTest ./tests/networking-hostname.nix;
   tests.networking-networkservices = makeTest ./tests/networking-networkservices.nix;
   tests.nix-enable = makeTest ./tests/nix-enable.nix;
diff --git a/tests/networking-firewall.nix b/tests/networking-firewall.nix
new file mode 100644
index 0000000..a2f6c3b
--- /dev/null
+++ b/tests/networking-firewall.nix
@@ -0,0 +1,17 @@
+{ config, ... }:
+{
+  networking.applicationFirewall = {
+    enable = true;
+    blockAllIncoming = true;
+    allowSignedApp = false;
+    enableStealthMode = null;
+  };
+
+  test = ''
+    echo "checking socketfilterfw calls in /activate" >&2
+    grep "/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on" ${config.out}/activate
+    grep "/usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on" ${config.out}/activate
+    grep "/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off" ${config.out}/activate
+    (! grep "/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode" ${config.out}/activate)
+  '';
+}