nftfw logo

nftfw -Updating nftfw

Get current version

If you've installed nftfw from a zip or tar file, then revisit the github pages and pull the current version. Unpack and install the files.

If you used git, then change to the your nftfw source directory and

which will pull the files that have changed, and will also tell you if you are up-to-date.

If you've run the nftfw system tests, git will complain about some new files. In the nftfw directory:

will remove the files created by the tests, and the pull should now work.

To use git in future:

Re-install the nftfw Python modules & programs

Re-run the script

Will update files in your etc/nftfw directory, but will not touch any working files. The original directory may contain changes that are useful to you. You can use diff to compare your working versions with files in the original directory.

The [Incron] section in the config.ini file can be deleted as it's no longer used.

Changes for nftfw version 0.8 and onwards

Summary of changes from 0.7 requiring some reconfiguration:

  • Edit config.ini to remove: [Owner] section - ownership of files created in etc/nftfw now taken from owner of that directory nftfw_base - nftfw now uses it's own control files exclusively.
  • etc/nftfw/original renamed etc/nftfw/etc_nftfw
  • Change to nftfw_init.nft to include essential ipv6 icmp coding. Change to rule.d/ Can remove reference to this rule in incoming.d and outgoing.d.
  • Updated regular expressions in exim4.patterns - now find IP addresses correctly
  • Local action rules should be placed in /etc/nftfw/local.d, so that /rule.d can be updated by distributions.

Other changes:

  • New import_tool to import Symbiosis/Sympl configs
  • New to remove manual installation
  • Many documentation changes - example files now shown relative to filesystem root - e.g /etc/nftfw rather than /usr/local/etc/nftfw.

Changes for nftfw version 0.7 and onwards

nftfw has gained a new control directory etc/nftfw/blacknets.d which allows you to install files of IP address ranges coded as using CIDR notation. The blacknets system provides blocking of a large number of IP networks based on lists of addresses. It can be used to keep whole countries out, or stop access from large organisations with complex address ranges. There's a document Getting CIDR lists explaining how to get the country lists onto your system. There are other sources of bulk blacklists.

To support the new category of blocking there are some changes to etc/nftfw/nftfw_init.nft that need to be installed, when updating - remember to run the script and then copy etc/nftfw/originals/nftfw_init.nft to etc/nftfw/nftfw_init.nft. If you've made changes to the installed file, you'll need to edit them in again. It's wise then run

to ensure that you have a clean installation.

If you've installed the systemd based active file system, then you will need to update /etc/systemd/system/nftfw.path to include the new blacknets.d directory. Copy the nftfw.path from the systemd directory in the release to /etc/systemd/system/nftfw.path, the file contains the five lines that are needed. Then tell systemd to reload:

Changes for nftfw version 0.6 and onwards

ntftw no longer recommends the use of incron to provide a 'active' directory so changes in directories in_/usr/local/nftfw_ cause automatic running of the nftfw load command. A systemd unit that watches directories and calls the command replaces incron. If you've installed a previous version then you need to unwind parts of the incron support system.

Take these steps if you ran versions of nftfw before 0.6 and used incron. These steps are shown in other files, but it seems sensible to emphasise them here. These can be done before or after you install the new version. The systemd can run with version before 0.6, but 0.6 contains some coding changes to make it work a little better.

First, move to the nftfw distribution and replace the cron.d file

then stop incron from running nftfw:

Install systemd control files from systemd in the nftfw distribution:

Stop incron if it's running and you no longer need it

Finally a tip that's hard to find: reload systemd if you change the nftfw files after installation and starting: