Firewall exits after 1 sec

manselton · August 5, 2025, 8:17pm

Hi, I’m brand new to Nix just installed tonight. I am reporting here what I am seeing in every Linux with systemd that I have tried. (Arch-based, Debian-based, Ubuntu about 12 distros in all.) I have come to the conclusion that either there is serious flaw in systemd or else it is my hardware. Likely the latter.

I do a fresh install and then check the firewall. On Nix 25.05 I get this:

[…:~]$ systemctl status firewall
● firewall.service - Firewall
Loaded: loaded (/etc/systemd/system/firewall.service; enabled; preset: ignored)
Active: active (exited) since Tue 2025-08-05 20:20:23 BST; 39min ago
Invocation: 5e751f7f04ab45b3aa4c93e6ee0cb406
Process: 948 ExecStart=firewall-start (code=exited, status=0/SUCCESS)
Main PID: 948 (code=exited, status=0/SUCCESS)
IP: 0B in, 0B out
IO: 1.1M read, 0B written
Mem peak: 10.3M
CPU: 118ms

Aug 05 20:20:22 nixos systemd[1]: Starting Firewall…
Aug 05 20:20:23 nixos systemd[1]: Finished Firewall.

FWIW journalctl -u firewall -b gives the last 2 lines exactly and no more.

Enabled, active and exited within 1 second. BUT systemd still reports it as Active. No one has taken me seriously but I think this is a big problem. I’ve got a late 2024 HP Zbook Fury with Nvidia graphics. Either Nvidia or other hardware (complex uefi bios) is breaking something or else systemd has been security breached. You see my concern? These are the only things in common. Hardware and systemd.

Firewalld does work OK. The difference is that it runs through dbus. Why that makes a difference I don’t know but it is the only thing I’ve spotted. That said I am also having difficulties running Wireguard with similar rapid exits while systemd still thinks it is active.

Many thanks for any insight

TLATER · August 5, 2025, 8:47pm

The firewall is working. That unit only configures it and then exits, this is called a “oneshot” unit. As long as it doesn’t finish with an unclean exit code it will be considered active.

The firewall is the kernel-level iptables, which does not need a running process to be active; the kernel is simply configured to block requests according to a set of rules, and since it’s the kernel, this isn’t considered part of any “process”.

You can inspect the rules with sudo iptables -L, and you’ll see some chains explicitly named NixOS.

If you’d like to make sure, feel free to open an application on a random port and try to access it from another host on your local network. E.g. nc -l 9999, and then elsewhere nc <ip> 9999. Normally anything you type on the other host would appear on the terminal on the other side, but since the firewall blocks that traffic instead you’ll get a timeout after a while (or it just hangs forever, I forget which in this case).

It has to be another host, since accessing any ports locally from your machine is permitted. That said, this isn’t a fool-proof check; your local network may also block local traffic. If you want to make sure it reached your machine, watch sudo dmesg -w for firewall messages.

FWIW, firewalls on your average consumer device are a little overrated anyway. They don’t do anything if you don’t have vulnerable software listening on a port that you don’t intend to have listening; basically this only happens if you’re already infected with malware (at which point a firewall barely helps anymore anyway), or if you run some very unwise and outdated software (which can happen, I guess, but is much less likely in 2025 than in 1999). Even then, 99% of devices are behind NAT nowadays, so in the unlikely case it’d actually protect you against something, this only matters very rarely (practically just when using public networks). Firewalls for your use case are almost vestigal IMO.

I’m not saying you shouldn’t have one, just that you shouldn’t be as scared of the potential of it being off. They don’t hurt, and they’re basically zero cost, so why not have it configured. Have fun with your on-by-default firewall on NixOS

manselton · August 5, 2025, 9:12pm

Ahhh, Thank you ever so much for the detailed response! There was third common factor. My silly head. Too dull I’ve been, see!

Worries soothed. I shall enjoy exploring.
Thank you! I’m 72 by the way, sometimes my thinking gets inflexible. Lol never mind

TLATER · August 5, 2025, 10:50pm

Hah, and here I go explaining nc to a bona fide greybeard like it’s some arcane magic ;p

manselton · August 6, 2025, 6:07am

Well I do have a grey beard but whereas a few dozen of my peers in college learned unix in 1974 on a Big Iron mainframe, I took no interest until the early 1990s. This means I am very glad of the tip about netcat! I’ve never used it much. Thanks again