From 8d1a8a35b270dff17f1edfe4bab2d2d4fd1e50d3 Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@redmoonstudios.org>
Date: Fri, 12 Feb 2016 17:51:31 +0100
Subject: [PATCH 1/2] nixos-generate-config: Add enabling the firewall

As we're going to turn it off by default, so this will make it easier
for new and not so savvy users to not open random ports to the outside
world.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
---
 nixos/modules/installer/tools/nixos-generate-config.pl | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl
index ec880e0847263..f45cfde847574 100644
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@@ -528,6 +528,8 @@ sub multiLineList {
   # networking.hostName = "nixos"; # Define your hostname.
   # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
 
+  networking.firewall.enable = true;
+
   # Select internationalisation properties.
   # i18n = {
   #   consoleFont = "Lat2-Terminus16";

From eedd4978e7be364ba0695ab440e85fbbd013e70d Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@redmoonstudios.org>
Date: Fri, 12 Feb 2016 17:53:53 +0100
Subject: [PATCH 2/2] nixos/firewall: Disable it by default for >= 16.03

The reason for disabling the "firewall" (let's call it just netfilter,
shall we?) is that we already have a way to declaratively specify which
services we want to run.

So we really should *only* run the services that we care for and not
introduce additional attack vectors by adding netfilter modules to the
kernel (especially the conntrack modules had security flaws in the
past).

We should also better focus on making the service modules more
configurable and by default listen to only the ports that are
*necessary* to run the service.

As with everything else, the NixOS configuration ultimately should
represent the stuff the user *wants* to have and *only* that.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
---
 nixos/modules/services/networking/firewall.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix
index e11fe072be651..52c8bbeec87dc 100644
--- a/nixos/modules/services/networking/firewall.nix
+++ b/nixos/modules/services/networking/firewall.nix
@@ -232,7 +232,7 @@ in
 
     networking.firewall.enable = mkOption {
       type = types.bool;
-      default = true;
+      default = versionOlder config.system.stateVersion "16.03";
       description =
         ''
           Whether to enable the firewall.  This is a simple stateful