nftfw logo

nftfw - a nftables firewall builder for Debian

The nftfw package builds firewalls for nftables. The system copies the simple configuration model for firewall management created for the iptables based firewall package supplied as part of Bytemark's Symbiosis hosting package and also for Sympl, a fork of Symbiosis. For example, adding a new IP address to the whitelist simply involves creating a file named for the IP address in a control directory. Adding a new rule permitting access to a port just takes the addition of a suitably named file in another directory. As far as possible, nftfw follows the easy-to-use file based user interface used by Symbiosis/Sympl and may run using the same control files, making it a viable drop-in choice.

nftfw doesn't need Sympl or Symbiosis, it's stand-alone and will run on any Debian Buster system. It should work on other Linux distributions. The package is written in Python 3 and needs at least the 3.6 release.

  • Easy-to-use firewall admin. Four directories control the firewall. Placing files in the directories create firewall rules configured from the file names. The incoming.d and outgoing.d directories supply rules allowing access to ports for incoming and outgoing connections. These files are usually empty, but can contain IP addresses to make the rule more specific. Two more directories, blacklist.d and whitelist.d, contain IP addresses, blocking or allowing access for specific addresses. These files can contain ports, again modifying the action of the rule. Changing the firewall is simply a matter of making or removing a file in one of these directories. The directory contents are described in detail in the User's Guide, while the How do I... or Quick Users' Guide gives a more task oriented decription.

  • Automatic blacklisting. The system contains a log file scanner that uses regular expressions to detect unwanted access and then creates files in the blacklist.d directory to block access to any matched IP address. Files to scan, the relevant ports to block for the file and the regular expressions for matching are all contained in a set of files in patterns.d. Pattern files are small text files, easy to add and edit, and the system contains a method of testing them. The nftfw configuration file controls the number of matched lines needed for blocking and how long to wait before removing the IP address from the blacklist.

  • Firewall feedback. The blacklist scanner can be told how to scan the syslog file looking for log entries from nftables and updates the blacklist database when a blocked IP address returns, keeping it in the firewall until it stops being active.

  • Automatic whitelisting. The whitelist scanner looks in the system's wtmp file for logins from users and automatically whitelists their IP addresses.

  • Full use of nftables sets. Blacklist and whitelist rules use nftables sets, and nftfw tries not to perform a full firewall reload until it's needed. If just the blacklist or whitelist sets change, then only those sets are reloaded.

  • Configurable nftables template. A user editable template provides the framework for nftablesnftfw uses the template on every firewall build, using 'includes' to pull in its own rules. The use of a template allows for local changes, perhaps to support internal LAN interfaces on a gateway machine. A sample version of the template file used on my gateway machine is supplied.

  • Editable nftables commands. Rules in incoming.d and outgoing.d use small action files that are shell scripts to create data for nftables rules. The scripts are called with a defined set of environment variables and generate output using echo. Again the idea is that local tailoring should be possible and easy.

  • Blacklist monitoring. The system provides a tool listing the current blacklist status. For each live entry it shows: the IP address and optionally the country of origin, the blocked ports, the date and time of the first and last access and the difference between the two times. HTML output can be generated so the data can be seen from the web. A sample PHP webpage is provided.

  • Admin editing. A database editor allows admins to add and delete entries from the blacklist database.

  • Initial configuration. The system comes with a fully configured set of firewall rules and is supplied with some working pattern files that are in use now keeping the bad guys out.

What's on this site?

Full installation »

Full installation of the system for Debian Buster.

Installation instructions »

For those who want a bare bones list of tasks.

Installing Geolocation »

Installing Geolocation, adding country detection to nftfwls, which is optional but desirable.

Updating nftfw »

How to update your copy of nftfw/

User's Guide »

The full User guide, the first section explains how the system is controlled.

How do I.... »

A more task directed guide.

Manual pages »

Manual pages for the four commands.

Contact »

A contact form.