From 7a5bd8f2f7a40eca90976c1eaa8666ff50f063a1 Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@redmoonstudios.org>
Date: Tue, 22 Apr 2014 06:51:16 +0200
Subject: common: Disable packet filter for all machines.

Enabling netfilter, especially connection tracking modules add
unnecessary complexity to the systems. So I really don't want to
increase the attack surface of the machine because of that.

Just close the ports you don't need and listen locally for stuff that
doesn't need to be public and we don't really need to have netfilter
enabled.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
---
 common.nix | 1 +
 1 file changed, 1 insertion(+)

(limited to 'common.nix')

diff --git a/common.nix b/common.nix
index 1935f295..25bc8656 100644
--- a/common.nix
+++ b/common.nix
@@ -41,6 +41,7 @@
 
   networking = {
     wireless.enable = false;
+    firewall.enable = false;
   };
 
   fileSystems = {
-- 
cgit 1.4.1