You are not logged in.

#1 2016-04-23 17:31:12

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Firewall for the lazy

Interested in firewalls but confused by their implementation?

Too lazy to learn how to use the backends?

Are the GUI front ends still too fiddly for you?

Good! Me too big_smile

Try this:

sudo apt-get install -t jessie-backports nftables linux-image-amd64 # instructions here: https://wiki.debian.org/Backports
sudo cp /usr/share/doc/nftables/examples/syntax/workstation /etc/nftables.conf # "workstation" is a whitelist firewall, other examples available
sudo systemctl start nftables
sudo systemctl enable nftables

Check with:

sudo nft list ruleset

See nft(8)

Alternative configurations are available in /usr/share/doc/nftables/examples/syntax

smile

More here:
https://wiki.archlinux.org/index.php/Nftables

EDIT: Added step to copy the "workstation" ruleset from the examples to /etc/nftables.conf
EDIT2: And `sed` to remove the `flush ruleset` line.
EDIT3: Need to run the backported kernel, thanks tynman!

Last edited by Head_on_a_Stick (2016-06-20 06:36:05)


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#2 2016-04-24 03:15:08

twoion
ほやほや
Registered: 2015-08-10
Posts: 2,393

Re: Firewall for the lazy

nft doesn't have a default configuration…you'd still need to configure the backend!


A silent kite against the blue, blue sky

Offline

#3 2016-04-24 09:59:51

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

twoion wrote:

nft doesn't have a default configuration…you'd still need to configure the backend!

The package supplies a default /etc/nftables.conf that is parsed by nftables.service

empty@Arch ~ % sudo nft list ruleset
[sudo] password for empty: 
table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
                ct state { related, established} accept 
                ct state invalid drop 
                iifname "lo" accept 
                ip protocol icmp accept 
                ip6 nexthdr ipv6-icmp accept 
                tcp dport ssh accept 
                meta nfproto ipv4 reject 
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
                drop 
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}

The ruleset is slightly different in Debian but it is still applied automagically using the "filter" example from /usr/share/doc/nftables/examples


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#4 2016-05-02 22:38:25

martix
Kim Jong-un Stunt Double
Registered: 2016-02-19
Posts: 1,267

Re: Firewall for the lazy

Somehow  "apt-get install -t jessie-backports nftables"  does not work for me: "Unable to locate package nftables". Is it only me? (It's also the same without backports).

Offline

#5 2016-05-02 22:41:22

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

martix wrote:

"Unable to locate package nftables"

Please post the *full* error message.

Please also post the output of:

apt-cache policy nftables
grep -R backports /etc/apt/sources.list{,.d/*}

I will be AFK for the next ~7 hours.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#6 2016-05-02 23:14:19

Sector11
Tpyo Knig
From: 77345 ¡#
Registered: 2015-08-20
Posts: 5,275

Re: Firewall for the lazy

Aaaaaaaaaaa you do sleep.  smile


BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System:    Host: s12 Kernel: 3.16.0-4-amd64 x86_64 (64 bit gcc: 4.8.4)
Desktop: Openbox 3.5.2 dm: (startx) Distro: Debian GNU/Linux 8

Offline

#7 2016-05-02 23:19:56

damo
....moderator....
Registered: 2015-08-20
Posts: 4,878

Re: Firewall for the lazy

martix wrote:

Somehow  "apt-get install -t jessie-backports nftables"  does not work for me: "Unable to locate package nftables". Is it only me? (It's also the same without backports).

Sources - sources.list and backports details

Is jessie-backports enabled? Because nftables is definitely in that repository.


Be Excellent to Each Other...

FORUM RULES and posting guidelines «» Help page for forum post formatting
Artwork on DeviantArt  «» BunsenLabs on DeviantArt

Offline

#8 2016-05-02 23:39:48

martix
Kim Jong-un Stunt Double
Registered: 2016-02-19
Posts: 1,267

Re: Firewall for the lazy

Here are some outputs:

apt-cache policy nftables
N: Unable to locate package nftables
grep -R backports /etc/apt/sources.list{,.d/*}
/etc/apt/sources.list.d/bunsen-jessie-backports.list:# BunsenLabs backports
/etc/apt/sources.list.d/bunsen-jessie-backports.list:deb http://pkg.bunsenlabs.org/debian jessie-backports main

Is there anything I could correct?

Offline

#9 2016-05-02 23:45:35

damo
....moderator....
Registered: 2015-08-20
Posts: 4,878

Re: Firewall for the lazy

martix wrote:

...
Is there anything I could correct?

If you read the Sticky thread I linked to, you should see that you don't have 'contrib' or 'non-free' in your jessie-backports. Add them after 'main' and update your sources, then try the install again.


Be Excellent to Each Other...

FORUM RULES and posting guidelines «» Help page for forum post formatting
Artwork on DeviantArt  «» BunsenLabs on DeviantArt

Offline

#10 2016-05-03 00:14:17

martix
Kim Jong-un Stunt Double
Registered: 2016-02-19
Posts: 1,267

Re: Firewall for the lazy

Indeed, cheers, debian-jessie-backports.list was missing. After creating it, nftables installed without issues.

Offline

#11 2016-05-03 06:23:47

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

Please mark the thread [SOLVED]

No, wait a minute...

monkey

Sector11 wrote:

you do sleep

I was just resting my eyes neutral


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#12 2016-05-03 14:41:19

martix
Kim Jong-un Stunt Double
Registered: 2016-02-19
Posts: 1,267

Re: Firewall for the lazy

There is a bug report on Debian about nftables:  https://bugs.debian.org/cgi-bin/bugrepo … bug=804648

However it seems that it's not really a bug. I found that page because I also received the message "nftables Default-Start contains no runlevels, aborting." - just like in the thread described. After restart and "systemctl status nftables" it shows:

nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; enabled)
   Active: active (exited) since Tue 2016-05-03 15:02:51 IST; 21min ago
     Docs: man:nft(8)
           http://wiki.nftables.org
  Process: 931 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=0/SUCCESS)
 Main PID: 931 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/nftables.service

Is that all for the needs of an average user? At least that's how I understand it: "The shipped configuration is a secure one: a white-list type firewall, which drop all connections unless stated otherwise. It's intended for a simple workstation."

Offline

#13 2016-05-03 18:01:40

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

martix wrote:

Is that all for the needs of an average user? At least that's how I understand it: "The shipped configuration is a secure one: a white-list type firewall, which drop all connections unless stated otherwise. It's intended for a simple workstation."

Yes, that is correct -- I use the exact same firewall on my devices smile

You can check if the rules have been applied with:

sudo nft list ruleset

The syntax of the rules is more streamlined and far easier to understand than iptables (IMO) and it offers a combined ip/ip6/arp/ebtables framework.

It's also cooler than iptables, the firewall runs in a virtual machine within the kernel and it's faster and more powerful than the old filter.

https://en.wikipedia.org/wiki/Nftables


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#14 2016-05-03 19:50:23

martix
Kim Jong-un Stunt Double
Registered: 2016-02-19
Posts: 1,267

Re: Firewall for the lazy

It looks good. It surely also has a learning curve. On default I get the following:

table inet filter {
	chain input {
		type filter hook input priority 0; policy accept;
		iif lo accept 
		ct state established,related accept 
		ip6 nexthdr ipv6-icmp icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} accept 
		counter packets 0 bytes 0 drop 
	}
}

Offline

#15 2016-05-03 20:24:49

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

^ Yes, your firewall is up glasses


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#16 2016-05-04 15:30:53

martix
Kim Jong-un Stunt Double
Registered: 2016-02-19
Posts: 1,267

Re: Firewall for the lazy

Head_on_a_Stick wrote:

^ Yes, your firewall is up glasses

Which firewall would you recommend for a noob: nftables or gufw?

Offline

#17 2016-05-04 17:23:04

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

I've never tried gufw so I can offer no comparison.

Why not try them for yourself?


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#18 2016-05-04 23:24:48

martix
Kim Jong-un Stunt Double
Registered: 2016-02-19
Posts: 1,267

Re: Firewall for the lazy

Head_on_a_Stick wrote:

I've never tried gufw so I can offer no comparison.

Why not try them for yourself?

Sort of tried both. Unfortunately I lack of knowledge to give any reasonable opinion. I noticed that nftables blocks tor bundle traffic on default. As for gufw I liked the simplicity and the icon they provide. Otherwise I cannot tell anything, firewall configuration is a little science for itself anyway.

Offline

#19 2016-05-05 06:25:35

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

I would say that if you have a specific requirement then it is probably better to invest time learning the underlying framework rather than learning to use an abstracted interface to that framework (such as gufw).


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#20 2016-06-17 12:30:20

hughparker1
Member
Registered: 2016-05-05
Posts: 45

Re: Firewall for the lazy

Head_on_a_Stick wrote:

Interested in firewalls but confused by their implementation?
Try this:

sudo apt-get install -t jessie-backports nftables # instructions here: https://wiki.debian.org/Backports
sudo systemctl start nftables
sudo systemctl enable nftables

Check with:

sudo nft list ruleset

See nft(8)

Alternative configurations are available in /usr/share/doc/nftables/examples
More here:
https://wiki.archlinux.org/index.php/Nftables

I have been using BunsenLabs for a few weeks now and it's the fastest distro I have tried by miles. So very happy with the performance on my 6 year old DELL Vostro 1520 and Asus Eee-box EB1501P. Both now have SSDs and boot in 10 seconds which is great.

I tried to enable firewall but found gufw is not installed, then I found your instructions to install nftables so I thought I would give it a go...

Looks like installation completed ok....

hugh@ASUS-BUNSENLABS:~$ sudo apt-get install -t jessie-backports nftables
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  libjansson4 libmxml1 libnftnl4
The following NEW packages will be installed:
  libjansson4 libmxml1 libnftnl4 nftables
0 upgraded, 4 newly installed, 0 to remove and 102 not upgraded.
Need to get 252 kB of archives.
After this operation, 927 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://httpredir.debian.org/debian/ jessie/main libmxml1 amd64 2.6-2 [28.0 kB]
Get:2 http://httpredir.debian.org/debian/ jessie-backports/main nftables amd64 0.5+snapshot20160426-1~bpo8+1 [128 kB]
Get:3 http://httpredir.debian.org/debian/ jessie/main libjansson4 amd64 2.7-1+deb8u1 [34.1 kB]
Get:4 http://httpredir.debian.org/debian/ jessie-backports/main libnftnl4 amd64 1.0.6-1~bpo8+1 [62.2 kB]
Fetched 252 kB in 0s (366 kB/s)                                                               
Selecting previously unselected package libjansson4:amd64.
(Reading database ... 102328 files and directories currently installed.)
Preparing to unpack .../libjansson4_2.7-1+deb8u1_amd64.deb ...
Unpacking libjansson4:amd64 (2.7-1+deb8u1) ...
Selecting previously unselected package libmxml1.
Preparing to unpack .../libmxml1_2.6-2_amd64.deb ...
Unpacking libmxml1 (2.6-2) ...
Selecting previously unselected package libnftnl4:amd64.
Preparing to unpack .../libnftnl4_1.0.6-1~bpo8+1_amd64.deb ...
Unpacking libnftnl4:amd64 (1.0.6-1~bpo8+1) ...
Selecting previously unselected package nftables.
Preparing to unpack .../nftables_0.5+snapshot20160426-1~bpo8+1_amd64.deb ...
Unpacking nftables (0.5+snapshot20160426-1~bpo8+1) ...
Processing triggers for man-db (2.7.0.2-5) ...
Setting up libjansson4:amd64 (2.7-1+deb8u1) ...
Setting up libmxml1 (2.6-2) ...
Setting up libnftnl4:amd64 (1.0.6-1~bpo8+1) ...
Setting up nftables (0.5+snapshot20160426-1~bpo8+1) ...
Processing triggers for libc-bin (2.19-18+deb8u4) ...
hugh@ASUS-BUNSENLABS:~$

but when I tied to startnftables, I got a 'nftables.service failed' message...

hugh@ASUS-BUNSENLABS:~$ sudo systemctl start nftables
Job for nftables.service failed. See 'systemctl status nftables.service' and 'journalctl -xn' for details.
hugh@ASUS-BUNSENLABS:~$

I entered the commands suggested above in terminal ...

hugh@ASUS-BUNSENLABS:~$ systemctl status nftables.service
● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; disabled)
   Active: failed (Result: exit-code) since Fri 2016-06-17 12:58:59 BST; 23min ago
     Docs: man:nft(8)
           http://wiki.nftables.org
  Process: 2466 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=1/FAILURE)
 Main PID: 2466 (code=exited, status=1/FAILURE)
hugh@ASUS-BUNSENLABS:~$
hugh@ASUS-BUNSENLABS:~$ journalctl -xn
No journal files were found.
hugh@ASUS-BUNSENLABS:~$ 

But I don't have a technical background so not sure what the information means, and I couldn't find any hits on google that would identify the cause of the failed message. Any idea what went wrong?

Offline

#21 2016-06-17 19:38:31

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

hughparker1 wrote:
hugh@ASUS-BUNSENLABS:~$ journalctl -xn
No journal files were found.
hugh@ASUS-BUNSENLABS:~$ 

Try:

sudo journalctl -xn

You will have to provoke the error again first.

Does nftabes.service start successfully during bootup or does it fail then too?

I have just tried this in my BL system and everything works as expected.

However, the default /etc/nftables.conf has changed from a whitelist firewall to a completely open ruleset.

To get back the default-deny rules, use:

sudo cp /usr/share/doc/nftables/examples/syntax/workstation /etc/nftables.conf

Check the rules have been applied with `sudo nft list ruleset`


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#22 2016-06-17 22:54:13

hughparker1
Member
Registered: 2016-05-05
Posts: 45

Re: Firewall for the lazy

Head_on_a_Stick wrote:

Try:

sudo journalctl -xn

You will have to provoke the error again first.

I ran the command again...

$ sudo systemctl start nftables

... and got same nftables.service failed message as before

Does nftabes.service start successfully during bootup or does it fail then too?

I'm not sure how to check for that.

I have just tried this in my BL system and everything works as expected.
However, the default /etc/nftables.conf has changed from a whitelist firewall to a completely open ruleset.

To get back the default-deny rules, use:

sudo cp /usr/share/doc/nftables/examples/syntax/workstation /etc/nftables.conf

Check the rules have been applied with `sudo nft list ruleset`

I'm not very technical but I have ran the following commands in terminal with the following results...

hugh@ASUS-BUNSENLABS:~$ sudo cp /usr/share/doc/nftables/examples/syntax/workstation /etc/nftables.conf
[sudo] password for hugh: 
hugh@ASUS-BUNSENLABS:~$ sudo nft list ruleset
hugh@ASUS-BUNSENLABS:~$
hugh@ASUS-BUNSENLABS:~$ sudo journalctl -xn
-- Logs begin at Fri 2016-06-17 23:21:19 BST, end at Fri 2016-06-17 23:44:07 BST. --
Jun 17 23:42:41 ASUS-BUNSENLABS nft[1293]: ^^^^^^^^^^^^^^
Jun 17 23:42:41 ASUS-BUNSENLABS nft[1293]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Jun 17 23:42:41 ASUS-BUNSENLABS nft[1293]: flush ruleset
Jun 17 23:42:41 ASUS-BUNSENLABS nft[1293]: ^^^^^^^^^^^^^^
Jun 17 23:42:41 ASUS-BUNSENLABS systemd[1]: nftables.service: main process exited, code=exited, status=1/FAILURE
Jun 17 23:42:41 ASUS-BUNSENLABS systemd[1]: Failed to start nftables.
-- Subject: Unit nftables.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit nftables.service has failed.
-- 
-- The result is failed.
Jun 17 23:42:41 ASUS-BUNSENLABS systemd[1]: Unit nftables.service entered failed state.
Jun 17 23:42:41 ASUS-BUNSENLABS sudo[1290]: pam_unix(sudo:session): session closed for user root
Jun 17 23:44:07 ASUS-BUNSENLABS sudo[1315]: hugh : TTY=pts/0 ; PWD=/home/hugh ; USER=root ; COMMAND=/bin/journalctl -xn
Jun 17 23:44:07 ASUS-BUNSENLABS sudo[1315]: pam_unix(sudo:session): session opened for user root by hugh(uid=0)
hugh@ASUS-BUNSENLABS:~$

Did I enter the commands correctly?  Does the output identify where the problem lies?  Thanks for your input, it is very much appreciated.

Offline

#23 2016-06-18 10:34:52

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

hughparker1 wrote:

Does nftabes.service start successfully during bootup or does it fail then too?

I'm not sure how to check for that.

Yes, sorry -- you can run `sudo nft list ruleset` after boot to see if the rules have been applied and you can use this command after boot to see if the .service has been started:

systemctl status nftables.service

The `systemctl start` command starts the .service immediately but the `systemctl enable` command is needed to make the .service start automatically at every boot thereafter.

On the other hand, if you just use `systemctl enable` then the .service does *not* start until the next boot up.

The man page covers this in great detail: systemctl(1)

hughparker1 wrote:
hugh@ASUS-BUNSENLABS:~$ sudo journalctl -xn
-- Logs begin at Fri 2016-06-17 23:21:19 BST, end at Fri 2016-06-17 23:44:07 BST. --
Jun 17 23:42:41 ASUS-BUNSENLABS nft[1293]: ^^^^^^^^^^^^^^
Jun 17 23:42:41 ASUS-BUNSENLABS nft[1293]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Jun 17 23:42:41 ASUS-BUNSENLABS nft[1293]: flush ruleset
Jun 17 23:42:41 ASUS-BUNSENLABS nft[1293]: ^^^^^^^^^^^^^^
Jun 17 23:42:41 ASUS-BUNSENLABS systemd[1]: nftables.service: main process exited, code=exited, status=1/FAILURE
Jun 17 23:42:41 ASUS-BUNSENLABS systemd[1]: Failed to start nftables.
-- Subject: Unit nftables.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit nftables.service has failed.
-- 
-- The result is failed.
Jun 17 23:42:41 ASUS-BUNSENLABS systemd[1]: Unit nftables.service entered failed state.
Jun 17 23:42:41 ASUS-BUNSENLABS sudo[1290]: pam_unix(sudo:session): session closed for user root
Jun 17 23:44:07 ASUS-BUNSENLABS sudo[1315]: hugh : TTY=pts/0 ; PWD=/home/hugh ; USER=root ; COMMAND=/bin/journalctl -xn
Jun 17 23:44:07 ASUS-BUNSENLABS sudo[1315]: pam_unix(sudo:session): session opened for user root by hugh(uid=0)
hugh@ASUS-BUNSENLABS:~$

Did I enter the commands correctly?  Does the output identify where the problem lies?

Yes, the problem is with the default /etc/nftables.conf which had an erroneous "flush ruleset" line at the top hmm

However, now that you have copied the "workstation" example to /etc/nftables.conf the `systemctl start nftables` command should now work if you try it again smile

Remember to `enable` it to start automatically.

Check for all enabled .services (& .targets & .sockets) with:

systemctl list-unit-files | grep enabled

“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#24 2016-06-18 13:42:55

hughparker1
Member
Registered: 2016-05-05
Posts: 45

Re: Firewall for the lazy

Head_on_a_Stick wrote:

However, now that you have copied the "workstation" example to /etc/nftables.conf the `systemctl start nftables` command should now work if you try it again

I ran this command after boot...

hugh@ASUS-BUNSENLABS:~$ sudo systemctl start nftables
[sudo] password for hugh: 
Job for nftables.service failed. See 'systemctl status nftables.service' and 'journalctl -xn' for details.
hugh@ASUS-BUNSENLABS:~$ 

... but still getting failed message

Remember to `enable` it to start automatically.

So I will add the command 'sudo systemctl start nftables' to end of '.config/openbox/autostart' followed by '&' ?

Check for all enabled .services (& .targets & .sockets) with:

systemctl list-unit-files | grep enabled

I ran this command and here is output....

hugh@ASUS-BUNSENLABS:~$ systemctl list-unit-files | grep enabled
cups.path                                  enabled 
anacron-resume.service                     enabled 
anacron.service                            enabled 
avahi-daemon.service                       enabled 
cron.service                               enabled 
cups-browsed.service                       enabled 
cups.service                               enabled 
dbus-org.freedesktop.Avahi.service         enabled 
dbus-org.freedesktop.ModemManager1.service enabled 
dbus-org.freedesktop.nm-dispatcher.service enabled 
display-manager.service                    enabled 
getty@.service                             enabled 
hwclock-save.service                       enabled 
lightdm.service                            enabled 
lm-sensors.service                         enabled 
ModemManager.service                       enabled 
NetworkManager-dispatcher.service          enabled 
NetworkManager.service                     enabled 
rsyslog.service                            enabled 
smartd.service                             enabled 
ssh.service                                enabled 
sshd.service                               enabled 
syslog.service                             enabled 
avahi-daemon.socket                        enabled 
cups.socket                                enabled 
uuidd.socket                               enabled 
remote-fs.target                           enabled 
hugh@ASUS-BUNSENLABS:~$ 

Yes, sorry -- you can run `sudo nft list ruleset` after boot to see if the rules have been applied

I ran the command but there wan't any output, should this produce a list?

hugh@ASUS-BUNSENLABS:~$ sudo nft list ruleset
hugh@ASUS-BUNSENLABS:~$ 

...and you can use this command after boot to see if the .service has been started:

systemctl status nftables.service

I ran the 'status' command but got 'failed' resullt...

hugh@ASUS-BUNSENLABS:~$ systemctl status nftables.service
● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; disabled)
   Active: failed (Result: exit-code) since Sat 2016-06-18 13:59:59 BST; 3min 39s ago
     Docs: man:nft(8)
           http://wiki.nftables.org
  Process: 1433 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=1/FAILURE)
 Main PID: 1433 (code=exited, status=1/FAILURE)
hugh@ASUS-BUNSENLABS:~$ 

I tried running the command 'systemctl start nftables.service' but get failed message again...

hugh@ASUS-BUNSENLABS:~$ sudo systemctl start nftables.service
[sudo] password for hugh: 
Job for nftables.service failed. See 'systemctl status nftables.service' and 'journalctl -xn' for details.
hugh@ASUS-BUNSENLABS:~$ 

then I tried enable commande...

hugh@ASUS-BUNSENLABS:~$ sudo systemctl enable nftables.service
Created symlink from /etc/systemd/system/multi-user.target.wants/nftables.service to /lib/systemd/system/nftables.service.
hugh@ASUS-BUNSENLABS:~$ 

I don't think I'm getting very far, maybe it's too difficult for a newbie like myself. not sure what I'm doing wrong. But I do appreciate your help on this.  Does any of the above info help identify where I'm going wrong?

Offline

#25 2016-06-18 13:52:45

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

hughparker1 wrote:

Remember to `enable` it to start automatically.

So I will add the command 'sudo systemctl start nftables' to end of '.config/openbox/autostart' followed by '&' ?

No, don't do that.

You should just run `sudo systemctl enable nftables.service`

That should persist between reboots.

For now try this fix hack:

sudo sed -i 's/flush/#flush/' /etc/nftabes.conf

I will have to investigate this further and find a proper fix, thank you for reporting this smile

Last edited by Head_on_a_Stick (2016-06-18 13:53:28)


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

Board footer

Powered by FluxBB