For those of you who just want to follow a list of instructions without any verbiage, this document lists all the steps in the Installing nftfw document. There are links, shown as 'Explanation', to the Installation document.
NB. Versions of nftfw from 0.6 no longer use incron to create active directories, if you installed a previous version make sure you remove incron support.
If this installs a version less than 0.9.3, then edit
/etc/apt/sources.d and add
Install Python packages (Explanation)
Check on the state of iptables, and set things up to use the nftables compatibility mode (Explanation)
If the output looks like this, then skip to 'Installing nftfw. If the word in brackets is 'legacy', do the following
sudo iptables -V again, to check things have switched, and
Get nftfw installation and install (Explanation)
Change into the nftfw directory you've just installed and:
Install nftfw infrastructure:
Answers for default installation:
Alternatively, without any user interaction:
edit the AUTO_USER line to the user you want to use own the files in etc/nftfw and run the script as above. The Autoinstall.conf file will be ignored by git so this script can be used to update any future releases.
Edit /usr/local/etc/nftfw/config.ini. Change: (Explanation)
remove the semi-colon and after the = add the user you selected when installing the files.
Change the logging level for now: Change
# what level are we logging at # needs to be a level name not a value # CRITICAL, ERROR, WARNING, INFO, DEBUG ;loglevel = ERROR
remove the semi-colon, and change ERROR to INFO.
If you have a file in /etc/nftables.conf (use ls) and you've installed nftfw in the root of the file system, then in the Locations section change
# Location of system nftables.conf # Usually /etc/nftables.conf ;nftables_conf = /etc/nftables.conf
remove the semi-colon, and replace
/etc/nftables.conf.new. This avoids writing over the current /etc/nftables.conf.
On Symbiosis move /etc/cron.d/symbiosis-firewall to a safe place. On Symbiosis move /etc/incron.d/symbiosis-firewall to a safe place. On Sympl move /etc/cron.d/sympl-firewall to a safe place.
$ sudo nftfw -x -v load nftfw: Loading data from /usr/local/etc/nftfw nftfw: Creating reference files in /usr/local/var/lib/nftfw/test.d nftfw: Test files using nft command nftfw: Testing nft rulesets from nftfw_init.nft nftfw: Determine required installation nftfw: No install needed
The number in the log is the process id, so will be different for you.
If you don't have a running nftables or iptables firewall, then skip to 'Run a test...'.
If you DO carry on here (Explanation)
If you have a running firewall, save its rules first:
Output should end with 'Install rules in ...' - wherever the config.ini file tells nftfw to store the nftables.conf file.
will list the ruleset.
If you have a problem, revert to old rules:
If you DON'T have a running nftables or iptables firewall (Explanation) If you DO then you've done this bit above.
to test installation. Output should end with 'Install rules in ...' - wherever the config.ini file tells nftfw to store the nftables.conf file. Now skip to next section.
will list the ruleset.
Edit /usr/local/etc/nftfw/config.ini to put the nftables.conf file in the right place
# Location of system nftables.conf # Usually /etc/nftables.conf nftables_conf = /etc/nftables.conf
run to write it there
Tell systemctl to enable and start its nftables service.
On a Symbiosis system -
On a Sympl system -
This turns out to be an important step, rebooting without having this done results in a bad combination of two firewalls, because the nftables settings are loaded before the Symbiosis/Sympl ones.
Change into the cronfiles directory in the distribution. If you ran versions of nftfw before 0.6, ensure that you replace the cron.d file with the current version that doesn't run incron.
Make nfwfw update the firewall when files in the control directories change. If you don't do this, then you will need to run
when you make a change by hand.
Take these steps if you ran versions of nftfw before 0.6 and used incron.
Install systemd control files from systemd in the nftfw distribution:
$ cd systemd # check nftfw.path and nftfw.service have correct paths $ sudo cp nftfw.* /etc/systemd/system $ cd .. # start the path unit only $ sudo systemctl enable nftfw.path $ sudo systemctl start nftfw.path $ sudo systemctl status # DON'T start or enable nftfw.service # it will be started when needed by nftfw.path
Stop incron if it's running and you no longer need it
Finally a tip that's hard to find: reload systemd if you change the nftfw files after installation and starting:
This will add country detection to nftfwls, which is optional but desirable. See the document. If you plan on blocking addresses by country, then the Geolocation system from Maxmind can provide tools to generate lists of IP addresses in the correct format.
A repository that steps through the changes I make to the standard exim4/dovecot systems on Sympl to improve feedback and detection of bad IPs - see Sympl mail system update.
Now look at:
All of this is made possible by shamelessly borrowing ideas from Patrick Cherry who created the Symbiosis hosting package for Bytemark of which the firewall system is part.