nftfw logo

nftfw - Installation Instructions

For those of you who just want to follow a list of instructions without any verbiage, this document lists all the steps in the Installing nftfw document. There are links, shown as 'Explanation', to the Installation document.

Basic package installations


If this installs a version less than 0.9.3, then edit /etc/apt/sources.d and add

and then

Install incron (Explanation)

Install Python packages (Explanation)

Check on iptables

Check on the state of iptables, and set things up to use the nftables compatibility mode (Explanation)

If the output looks like this, then skip to 'Installing nftfw. If the word in brackets is 'legacy', do the following

Run the sudo iptables -V again, to check things have switched, and

Installing nftfw

Get nftfw installation and install (Explanation)

Change into the nftfw directory you've just installed and:

Install nftfw infrastructure:

Answers for default installation:

  • Install under /usr/local? yes
  • See the files installed? your choice
  • Install? yes
  • User to replace root? 'admin' for Symbiosis, 'sympl' for Symbl, 'return' for root
  • Install Manual pages? yes

Setting up config.ini

Edit /usr/local/etc/nftfw/config.ini. Change: (Explanation)


remove the semi-colon and after the = add the user you selected when installing the files.

Change the logging level for now: Change

#  what level are we logging at
#  needs to be a level name not a value
;loglevel = ERROR

remove the semi-colon, and change ERROR to INFO.

If you have a file in /etc/nftables.conf (use ls) and you've installed nftfw in the root of the file system, then in the Locations section change

#  Location of system nftables.conf
#  Usually /etc/nftables.conf
;nftables_conf = /etc/nftables.conf

remove the semi-colon, and replace /etc/nftables.conf by /etc/ This avoids writing over the current /etc/nftables.conf.

Disable cron and incron actions


On Symbiosis move /etc/cron.d/symbiosis-firewall to a safe place. On Symbiosis move /etc/incron.d/symbiosis-firewall to a safe place. On Sympl move /etc/cron.d/sympl-firewall to a safe place.

Test that nftfw doesn't complain

The number in the log is the process id, so will be different for you.

Taking precautions if you have a live firewall

If you don't have a running nftables or iptables firewall, then skip to next section.

If you DO carry on here (Explanation)

If you have a running firewall, save its rules first:

Output should end with 'Install rules in ...' - wherever the config.ini file tells nftfw to store the nftables.conf file.

will list the ruleset.

If you have a problem, revert to old rules:

if not

Run a test if you don't have a live firewall

If you DON'T have a running nftables or iptables firewall (Explanation) If you DO then you've done this bit above.

to test installation. Output should end with 'Install rules in ...' - wherever the config.ini file tells nftfw to store the nftables.conf file. Now skip to next section.

will list the ruleset.

Final steps


Edit /usr/local/etc/nftfw/config.ini to put the nftables.conf file in the right place

#  Location of system nftables.conf
#  Usually /etc/nftables.conf
nftables_conf = /etc/nftables.conf

run to write it there

Tell systemctl to enable and start its nftables service.

On a Symbiosis system -

On a Sympl system -

This turns out to be an important step, rebooting without having this done results in a bad combination of two firewalls, because the nftables settings are loaded before the Symbiosis/Sympl ones.

Installing cron and incron

See README in the cronfiles directory.

Installing Geolocation

This will add country detection to nftfwls, which is optional but desirable. See the document.

Sympl users: Update your mail system after installation

A repository that steps through the changes I make to the standard exim4/dovecot systems on Sympl to improve feedback and detection of bad IPs - see Sympl mail system update.

You Are There

Now look at:


All of this is made possible by shamelessly borrowing ideas from Patrick Cherry who created the Symbiosis hosting package for Bytemark of which the firewall system is part.