Rules passed to OpenGFW. Example rules

The ordered audit rules, with each string appearing as one line of the audit.rules file.

Declarative configuration of firewall rules

udev rules to include in the initrd only

Rules for creation, deletion and cleaning of volatile and temporary files automatically

A list of the given alerting or recording rules against configured "datasource.url" compatible with Prometheus HTTP API for vmalert to execute

The rule statement configures a GNU Rush rule

Global user rules for creation, deletion and cleaning of volatile and temporary files automatically

Path to file containing OpenGFW rules.

Whether to enable logging for the rule.

Name of the rule.

Alerting and/or Recording rules to evaluate at runtime.

Expr Language expression using analyzers and functions.

Rich rules for the zone.

Per-user rules for creation, deletion and cleaning of volatile and temporary files automatically

The USBGuard daemon will load this as the policy rule set

Window class translation rules. /etc/X11/imwheelrc is generated based on this config which means this config is global for all users

Action of the rule. Supported actions

Which package to copy default rules,types,cgroups from.

This is a rule that the target address is to match against

This is the target address is to match against

A list of the given alerting or recording rules against configured "datasource.url" compatible with Prometheus HTTP API for vmalert to execute

Modification of specified packets when using the modify action. Available modifiers

Name of the modifier.

Arguments passed to the modifier.

Declarative configuration of networkd-dispatcher rules

Path to YAML rules configuration

Interface to use when method is iface.

static: Immediately answer any Neighbor Solicitation Messages (if they match the IP rule). iface: Forward the Neighbor Solicitation Message through the specified interface and only respond if a matching Neighbor Advertisement Message is received. auto: Same as iface, but instead of manually specifying the outgoing interface, check for a matching route in /proc/net/ipv6_route.

Grafana rules configuration in Nix

Shell commands executed on specified operational states.

The path to load specific local geoip/geosite db files

List of names of the systemd-networkd operational states which should trigger the script

The ruleset file to be used with nftables

List of rule groups to import or update.

Name of the rule group

Config file version.

List of alert rule UIDs that should be deleted.

Unique identifier for the rule

Organization ID, default = 1

Name of the folder the rule group will be stored in

Additional bot rules appended to the policy

Additional bot rules appended to the policy

Interval that the rule group should be evaluated at

Add logging rules right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also final reject and drop rules in zones for the configured link-layer packet type.

Additional udev rules

Path to geoip.dat.

The ruleset to be used with nftables

Path to geosite.dat.

List of rules to be added to /etc/xdg/pay-respects/rules. pay-respects will read the contents of these generated rules to recommend command corrections

Define specific rules to be in the sudoers file

Define specific rules to be in the sudoers file

If false (the default), this is up to the user to declare the firewall rules

Define specific rules to be set in the /etc/doas.conf file

Path to the files with alerting and/or recording rules.

Path to the files with alerting and/or recording rules.

Labels to treat as a replica indicator along which data is deduplicated

List of packages containing systemd-tmpfiles rules

Whether to enable udev rules and software for Lian Li Uni Controllers.

Packages added to the PATH environment variable when executing programs from Udev rules.

coreutils, gnu{sed,grep}, util-linux and config.systemd.package are automatically included.

Whether to enable udev rules for Ledger devices.

File which contains the rules to handle UPS events.

Hub collections, parsers, AppSec rules, etc.

Whether to enable lvm2.

Ingress rules

Whether to install Light backlight control command and udev rules granting access to members of the "video" group.

Whether to enable PN5xx kernel module with udev rules, libnfc-nci userland, and optional ifdnfc-nci PC/SC driver.

Rules for specific window types.

Network that we proxy. (Legacy option, use services.ndppd.proxies.<interface>.rules.<network> instead)

Whether to enable udev rules for devices supported by libftdi.

Whether to enable Ferm Firewall. Warning: Enabling this service WILL disable the existing NixOS firewall! Default firewall rules provided by packages are not considered at the moment.

This sets up a listener, that will listen for any Neighbor Solicitation messages, and respond to them according to a set of rules.

Depending on the local firewall/NAT rules, you might need to force Miredo to use a fixed UDP port and or IPv4 address.

List of packages containing udev rules

Defines how users authenticate themselves to the server

Enables udev rules for BladeRF devices

Whether to enable udev rules for Saleae Logic devices.

Rules to write in 'nixRules.rules'

Whether to enable the msr (Model-Specific Registers) kernel module and configure udev rules for its devices (usually /dev/cpu/*/msr).

Any polkit rules to be added to config (in JavaScript ;-)

Rules that control the opacity of windows, in format PERCENT:PATTERN.

Specify the rules for which files to read on the host

Enables udev rules for Nitrokey devices.

Path of file to link to /etc/rspamd/rspamd.local.lua for local rules written in Lua

This option defines extra ignore rules.

Whether to include Anubis's default bot detection rules via the (data)/meta/default-config.yaml import

Whether to include Anubis's default bot detection rules via the (data)/meta/default-config.yaml import

Extra CSS rules to apply on top of the GTK theme

Per-user rules for creation, deletion and cleaning of volatile and temporary files automatically.

Group for Ubertooth's udev rules.

Enables Glasgow udev rules and ensures 'plugdev' group exists

Whether to enable minipro and its udev rules

Wether to enable VictoriaMetrics's vmalert.

vmalert evaluates alerting and recording rules against a data source, sends notifications via Alertmanager.

List of hub appsec rules to install

Whether to allow traffic on the loopback interface

This option defines extra ignore rules for cronjobs.

Directories with extra rules.

Extra nftables rules to prepend to the generated ones

Path to PCAP replay file

Enables rtl-sdr udev rules, ensures 'plugdev' group exists, and blacklists DVB kernel modules

Installs flashrom and configures udev rules for programmers used by flashrom

Whether to enable Ubertooth software and its udev rules.

Depending on the local firewall/NAT rules, you might need to force Miredo to use a fixed UDP port and or IPv4 address.

Whether to enable the Thanos ruler service which evaluates Prometheus rules against given Query nodes, exposing Store API and storing old blocks in bucket.

Whether to enable quark-goldleaf with udev rules applied.

Options used for the default rules, granting root and the wheel group permission to run any command as any user.

Whether to enable FLEXOPTIX app + udev rules.

Interface which is on link-level with router. (Legacy option, use services.ndppd.proxies.<interface>.rules.<network> instead)

Options used for the default rules, granting root and the wheel group permission to run any command as any user.

Whether to install and set up mouse-actions and it's udev rules

Whether to enable ns-usbloader application with udev rules applied.

Enables hackrf udev rules and ensures 'plugdev' group exists

Whether to enable configuring flashprog udev rules and installing flashprog as system package .

Enable udev rules for Steam hardware such as the Steam Controller, other supported controllers and the HTC Vive

Whether to enable the SDRplay API service and udev rules.

Enables sheep_net udev rules, ensures 'sheep_net' group exists, and adds sheep-net to boot.kernelModules and boot.extraModulePackages

Any additional rules files to include in this configuration.

Whether to enable the feedbackd D-BUS service and udev rules

List of rules that should be disabled.

Location of the dokuwiki acl rules

Variables to be used within the suricata rules.

Enables kryoflux udev rules, ensures 'floppy' group exists

Generate device specific rules including the "via-port" attribute.

Whether to enable udev rules for gnupg smart cards.

Relay rules are used to send certain metrics to a certain backend.

Action for packets that doesn't match any rules.

This will only be used when systemd is used in stage 1.

List of packages containing udev rules that will be copied to stage 1

Whether to enable Shorewall IPv4 Firewall.

Declare systemd-tmpfiles rules to create, delete, and clean up volatile and temporary files and directories

Whether to enable udev rules for devices supported by libjaylink

Whether to configure system to enable use of dmrconfig

Whether to enable udev rules and software for Flipper Zero devices.

Keep or set the specified variables

This will only be used when systemd is used in stage 1.

Packages to search for binaries that are referenced by the udev rules in stage 1

Whether to enable udev rules added by input-remapper to handle hotplugged devices

Whether to enable udev rules for keyboards from ZSA like the ErgoDox EZ, Planck EZ and Moonlander Mark I

An absolute path to an executable to be run for each process killed

Files to load suricata-update managed rules, relative to 'default-rule-path'.

Whether to enable Shorewall IPv6 Firewall.

Whether to allow traffic to local networks

List of reader name patterns for the PCSC daemon to ignore

Assign block I/O scheduler by device name pattern

Additional nftables rules to be appended to the input-allow chain

Listen for any Neighbor Solicitation messages on this interface, and respond to them according to a set of rules

Similar to systemd.tmpfiles.settings but the rules are only applied by systemd-tmpfiles before initrd-switch-root.target

Enable this option if you plan on using the webfinger plugin

Whether to enable udev rules for keychron QMK based keyboards.

Install polkit rules to allow Mirakurun to access smart card readers which is commonly used along with tuner devices.

Whether to allow users in the 'wireshark' group to capture USB traffic

Configure Sieve filtering rules on IMAP actions

The framework to use for attaching Jool's translation to the exist kernel packet processing rules

OpenFlow rules to insert into the Open vSwitch

The framework to use for attaching Jool's translation to the exist kernel packet processing rules

Path in which suricata-update managed rules are stored by default.

Wether to enable VictoriaMetrics's vmalert.

vmalert evaluates alerting and recording rules against a data source, sends notifications via Alertmanager.

Whether to run reaction as root

Whether to flush all runtime rules on a reload.

Additional nftables rules to be appended to the forward-allow chain

Server definitions ("stanzas") for the client system-options file

Whether to clean up firewall rules when firewalld stops.

Single or list of files for which rules are defined

Firewall rules for inbound traffic.

Tinyproxy supports filtering of web sites based on URLs or domains

Enables udev rules for Digital Bitbox devices.

A list of routing policy rules sections to be added to the unit

URL remapping rules used by Traffic Server

Caching rules that overrule the origin's caching policy

Path to the directory where firewall rules can be found and will get stored by the NixOS module.

Whether to enable usage of a compatibility bundle

Firewall rules for outbound traffic.

The digitalbitbox package to use

The digitalbitbox package to use

Additional nftables rules to be appended to the rpfilter-allow chain

Adds custom rules to the IPv4 scope table

List of packages containing uvcvideo dynamic controls rules

Text to append to the corresponding configuration files

This is a convenience option which allows you to set secret values for environment variables by specifying a file which will contain the value at runtime

Specify rules for nftables to add to the input chain when services.prometheus.exporters.nut.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.lnd.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.sql.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.frr.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.pve.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.zfs.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.kea.openFirewall is true.

If enabled, the generated nftables rule set will be owned exclusively by firewalld

Specify rules for nftables to add to the input chain when services.prometheus.exporters.nats.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.bind.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.ping.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.flow.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.json.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.ipmi.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.bird.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.mail.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.ebpf.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.knot.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.node.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.snmp.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.mqtt.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.php-fpm.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.nginx.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.redis.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.kafka.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.idrac.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.v2ray.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.jitsi.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.fritz.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.dmarc.openFirewall is true.

The firewall backend implementation

If this option is enabled, the guest will be isolated, i.e. it will not be able to contact the host and no guest IP packets will be routed over the host to the outside

Armagetron Advanced server rules configuration

Specify rules for nftables to add to the input chain when services.prometheus.exporters.node-cert.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.fastly.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.shelly.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.statsd.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.domain.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.tibber.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.rspamd.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.deluge.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.chrony.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.pihole.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.script.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.dnssec.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.restic.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.mysqld.openFirewall is true.

Turn on proxy_arp for this device

Specify rules for nftables to add to the input chain when services.prometheus.exporters.nvidia-gpu.openFirewall is true.

If enabled, the generated destination NAT (DNAT) rules will NOT accept traffic that was DNAT'd by other entities, e.g. docker

Specify rules for nftables to add to the input chain when services.prometheus.exporters.bitcoin.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.dnsmasq.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.unbound.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.apcupsd.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.libvirt.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.rtl_433.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.varnish.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.postfix.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.sabnzbd.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.ecoflow.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.klipper.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.systemd.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.dovecot.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.mongodb.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.process.openFirewall is true.

The backend used to setup virtual network firewall rules.

Enable OpenTabletDriver udev rules, user service and blacklist kernel modules known to conflict with OpenTabletDriver.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.py-air-control.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.unpoller.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.blackbox.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.influxdb.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.collectd.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.mikrotik.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.fritzbox.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.graphite.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.nginxlog.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.mailman3.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.postgres.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.keylight.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.opnsense.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.smartctl.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.imap-mailstat.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.pgbouncer.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.nextcloud.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.surfboard.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.smokeping.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.wireguard.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.rasdaemon.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.borgmatic.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.tailscale.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.junos-czerwonk.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.scaphandre.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.storagebox.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.buildkite-agent.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.exportarr-sonarr.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.exportarr-lidarr.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.exportarr-bazarr.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.exportarr-radarr.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.exportarr-readarr.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.artifactory.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.exportarr-prowlarr.openFirewall is true.

Specify rules for nftables to add to the input chain when services.prometheus.exporters.modemmanager.openFirewall is true.

Section for a local authentication round

Sets the password for WPA-PSK

Set of characters used as the delimiters for address extensions

How frequently to evaluate rules by default

Sets the password for WPA3-SAE

Netfilter mark and mask for output traffic

Netfilter mark and mask for input traffic

Sets the password(s) for WPA-PSK

This script gets run before the ruleset is checked

This tells the USBGuard daemon which file to load as policy rule set

Run nft check on the ruleset to spot syntax errors during build

The world used by the default map ruleset

Tables to be added to ruleset

Whether to enable flushing the entire ruleset on each reload.

Set of paths that should be intercepted and rewritten while checking the ruleset using pkgs.buildPackages.libredirect.