For those of you who just want to follow a list of instructions without any verbiage, this document lists all the steps in the Installing nftfw document. There are links, shown as 'Explanation', to the Installation document.
If this installs a version less than 0.9.3, then edit
/etc/apt/sources.d and add
Install incron (Explanation)
Install Python packages (Explanation)
Check on the state of iptables, and set things up to use the nftables compatibility mode (Explanation)
If the output looks like this, then skip to 'Installing nftfw. If the word in brackets is 'legacy', do the following
sudo iptables -V again, to check things have switched, and
Get nftfw installation and install (Explanation)
Change into the nftfw directory you've just installed and:
Install nftfw infrastructure:
Answers for default installation:
Edit /usr/local/etc/nftfw/config.ini. Change: (Explanation)
remove the semi-colon and after the = add the user you selected when installing the files.
Change the logging level for now: Change
# what level are we logging at # needs to be a level name not a value # CRITICAL, ERROR, WARNING, INFO, DEBUG ;loglevel = ERROR
remove the semi-colon, and change ERROR to INFO.
If you have a file in /etc/nftables.conf (use ls) and you've installed nftfw in the root of the file system, then in the Locations section change
# Location of system nftables.conf # Usually /etc/nftables.conf ;nftables_conf = /etc/nftables.conf
remove the semi-colon, and replace
/etc/nftables.conf.new. This avoids writing over the current /etc/nftables.conf.
On Symbiosis move /etc/cron.d/symbiosis-firewall to a safe place. On Symbiosis move /etc/incron.d/symbiosis-firewall to a safe place. On Sympl move /etc/cron.d/sympl-firewall to a safe place.
$ sudo nftfw -x -v load nftfw: Loading data from /usr/local/etc/nftfw nftfw: Creating reference files in /usr/local/var/lib/nftfw/test.d nftfw: Test files using nft command nftfw: Testing nft rulesets from nftfw_init.nft nftfw: Determine required installation nftfw: No install needed
The number in the log is the process id, so will be different for you.
If you don't have a running nftables or iptables firewall, then skip to next section.
If you DO carry on here (Explanation)
If you have a running firewall, save its rules first:
Output should end with 'Install rules in ...' - wherever the config.ini file tells nftfw to store the nftables.conf file.
will list the ruleset.
If you have a problem, revert to old rules:
If you DON'T have a running nftables or iptables firewall (Explanation) If you DO then you've done this bit above.
to test installation. Output should end with 'Install rules in ...' - wherever the config.ini file tells nftfw to store the nftables.conf file. Now skip to next section.
will list the ruleset.
Edit /usr/local/etc/nftfw/config.ini to put the nftables.conf file in the right place
# Location of system nftables.conf # Usually /etc/nftables.conf nftables_conf = /etc/nftables.conf
run to write it there
Tell systemctl to enable and start its nftables service.
On a Symbiosis system -
On a Sympl system -
This turns out to be an important step, rebooting without having this done results in a bad combination of two firewalls, because the nftables settings are loaded before the Symbiosis/Sympl ones.
See README in the cronfiles directory.
This will add country detection to nftfwls, which is optional but desirable. See the document.
A repository that steps through the changes I make to the standard exim4/dovecot systems on Sympl to improve feedback and detection of bad IPs - see Sympl mail system update.
Now look at:
All of this is made possible by shamelessly borrowing ideas from Patrick Cherry who created the Symbiosis hosting package for Bytemark of which the firewall system is part.