From a06273419c22ce9b571ea25dc15b7cd83a1e9e3c Mon Sep 17 00:00:00 2001
From: Chris Thompson <chris@agaric.com>
Date: Tue, 1 Apr 2025 17:19:26 -0400
Subject: [PATCH] Adjust networking to allow Wireguard client to work properly

---
 hosts/default/configuration.nix | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/hosts/default/configuration.nix b/hosts/default/configuration.nix
index 52c65d0..2c3b6a9 100644
--- a/hosts/default/configuration.nix
+++ b/hosts/default/configuration.nix
@@ -176,7 +176,24 @@
 
   # For xdebug...verify actual necessity
   # Have had to use this, but I think it can be disabled still - perhaps w/xdebug binding setting...don't know.
-  networking.firewall.allowedTCPPorts = [ 9003 ];
+  #networking.firewall.allowedTCPPorts = [ 9003 ];
+
+  networking.firewall = {
+    allowedTCPPorts = [ 9003 ];
+    allowedUDPPorts = [ 51820 ];
+    # if packets are still dropped, they will show up in dmesg
+    logReversePathDrops = true;
+    checkReversePath = "loose";
+    # wireguard trips rpfilter up
+    #extraCommands = ''
+    #  ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
+    #  ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
+    #'';
+    #extraStopCommands = ''
+    #  ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
+    #  ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
+    #'';
+  };
   # Allow unfree packages
   nixpkgs.config.allowUnfree = true;