nftfw logo

nftfw - Installation Instructions

For those of you who just want to follow a list of instructions without any verbiage, this document lists all the steps in the Installing nftfw document. There are links, shown as 'Explanation', to the Installation document.

NB. Versions of nftfw from 0.6 no longer use incron to create active directories, if you installed a previous version make sure you remove incron support.

Basic package installations


If this installs a version less than 0.9.3, then edit /etc/apt/sources.d and add

and then

Install Python packages (Explanation)

Check on iptables

Check on the state of iptables, and set things up to use the nftables compatibility mode (Explanation)

If the output looks like this, then skip to 'Installing nftfw. If the word in brackets is 'legacy', do the following

Run the sudo iptables -V again, to check things have switched, and

Installing nftfw

Get nftfw installation and install (Explanation)

Change into the nftfw directory you've just installed and:

Install nftfw infrastructure:

Answers for default installation:

  • Install under /usr/local? yes
  • See the files installed? your choice
  • Install? yes
  • User to replace root? 'admin' for Symbiosis, 'sympl' for Symbl, 'return' for root
  • Install Manual pages? yes

Alternatively, without any user interaction:

edit the AUTO_USER line to the user you want to use own the files in etc/nftfw and run the script as above. The Autoinstall.conf file will be ignored by git so this script can be used to update any future releases.

Setting up config.ini

Edit /usr/local/etc/nftfw/config.ini. Change: (Explanation)


remove the semi-colon and after the = add the user you selected when installing the files.

Change the logging level for now: Change

#  what level are we logging at
#  needs to be a level name not a value
;loglevel = ERROR

remove the semi-colon, and change ERROR to INFO.

If you have a file in /etc/nftables.conf (use ls) and you've installed nftfw in the root of the file system, then in the Locations section change

#  Location of system nftables.conf
#  Usually /etc/nftables.conf
;nftables_conf = /etc/nftables.conf

remove the semi-colon, and replace /etc/nftables.conf by /etc/ This avoids writing over the current /etc/nftables.conf.

Disable cron and incron actions


On Symbiosis move /etc/cron.d/symbiosis-firewall to a safe place. On Symbiosis move /etc/incron.d/symbiosis-firewall to a safe place. On Sympl move /etc/cron.d/sympl-firewall to a safe place.

Test that nftfw doesn't complain

The number in the log is the process id, so will be different for you.

Taking precautions if you have a live firewall

If you don't have a running nftables or iptables firewall, then skip to 'Run a test...'.

If you DO carry on here (Explanation)

If you have a running firewall, save its rules first:

Output should end with 'Install rules in ...' - wherever the config.ini file tells nftfw to store the nftables.conf file.

will list the ruleset.

If you have a problem, revert to old rules:

if not

Run a test if you don't have a live firewall

If you DON'T have a running nftables or iptables firewall (Explanation) If you DO then you've done this bit above.

to test installation. Output should end with 'Install rules in ...' - wherever the config.ini file tells nftfw to store the nftables.conf file. Now skip to next section.

will list the ruleset.

Final steps


Edit /usr/local/etc/nftfw/config.ini to put the nftables.conf file in the right place

#  Location of system nftables.conf
#  Usually /etc/nftables.conf
nftables_conf = /etc/nftables.conf

run to write it there

Tell systemctl to enable and start its nftables service.

On a Symbiosis system -

On a Sympl system -

This turns out to be an important step, rebooting without having this done results in a bad combination of two firewalls, because the nftables settings are loaded before the Symbiosis/Sympl ones.

Installing cron


Change into the cronfiles directory in the distribution. If you ran versions of nftfw before 0.6, ensure that you replace the cron.d file with the current version that doesn't run incron.

Active control directories


Make nfwfw update the firewall when files in the control directories change. If you don't do this, then you will need to run

when you make a change by hand.

Take these steps if you ran versions of nftfw before 0.6 and used incron.

Install systemd control files from systemd in the nftfw distribution:

Stop incron if it's running and you no longer need it

Finally a tip that's hard to find: reload systemd if you change the nftfw files after installation and starting:

Installing Geolocation

This will add country detection to nftfwls, which is optional but desirable. See the document. If you plan on blocking addresses by country, then the Geolocation system from Maxmind can provide tools to generate lists of IP addresses in the correct format.

Sympl users: Update your mail system after installation

A repository that steps through the changes I make to the standard exim4/dovecot systems on Sympl to improve feedback and detection of bad IPs - see Sympl mail system update.

You Are There

Now look at:


All of this is made possible by shamelessly borrowing ideas from Patrick Cherry who created the Symbiosis hosting package for Bytemark of which the firewall system is part.