nix/8.nix-darwin
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
8.nix-darwin/modules/networking/applicationFirewall.nix
Sizhe Zhao caa59bf50a
networking.applicationFirewall: init
2025-06-23 00:46:57 +08:00

48 lines
1.5 KiB
Nix
Raw Blame History

{ config, lib, ... }:
let
cfg = config.networking.applicationFirewall;
socketfilterfw =
option: value:
lib.concatStringsSep " " [
"/usr/libexec/ApplicationFirewall/socketfilterfw"
"--${option}"
(if value then "on" else "off")
];
in
{
meta.maintainers = [
(lib.maintainers.prince213 or "prince213")
];
options.networking.applicationFirewall = {
enable = lib.mkOption {
type = lib.types.nullOr lib.types.bool;
default = null;
example = true;
description = "Whether to enable application firewall.";
};
blockAllIncoming = lib.mkEnableOption "blocking all incoming connections";
allowSigned = lib.mkEnableOption "built-in software to receive incoming connections" // {
default = true;
};
allowSignedApp =
lib.mkEnableOption "downloaded signed software to receive incoming connections"
// {
default = true;
};
enableStealthMode = lib.mkEnableOption "stealth mode";
};
config = {
system.activationScripts.networking.text = ''
echo "configuring application firewall..." >&2
${lib.optionalString (cfg.enable != null) (socketfilterfw "setglobalstate" cfg.enable)}
${lib.optionalString (cfg.enable == true) (socketfilterfw "setblockall" cfg.blockAllIncoming)}
${socketfilterfw "setallowsigned" cfg.allowSigned}
${socketfilterfw "setallowsignedapp" cfg.allowSignedApp}
${socketfilterfw "setstealthmode" cfg.enableStealthMode}
'';
};
}
Reference in a new issue View git blame Copy permalink