You are not logged in.

#26 2016-06-18 14:07:01

hughparker1
Member
Registered: 2016-05-05
Posts: 51

Re: Firewall for the lazy

Head_on_a_Stick wrote:

You should just run `sudo systemctl enable nftables.service`

That should persist between reboots.

For now try this fix hack:

sudo sed -i 's/flush/#flush/' /etc/nftabes.conf

I will have to investigate this further and find a proper fix, thank you for reporting this smile

Thanks for your quick feedback, I ran both commands as suggested.

Is it OK for me to run the command .. 

$ sudo systemctl start nftables

.. or will I wait?

Offline

#27 2016-06-18 14:07:47

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

The command should work now.

That hack shouldn't be needed though so I will have to see what's wrong.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#28 2016-06-18 14:29:32

hughparker1
Member
Registered: 2016-05-05
Posts: 51

Re: Firewall for the lazy

Head_on_a_Stick wrote:

The command should work now.

That hack shouldn't be needed though so I will have to see what's wrong.

I ran the command...

$ sudo systemctl start nftables
hugh@ASUS-BUNSENLABS:~$ sudo systemctl start nftables
hugh@ASUS-BUNSENLABS:~$ 

then I ran command to check if the rules have been applied

hugh@ASUS-BUNSENLABS:~$ sudo nft list ruleset
table inet filter {
	chain input {
		type filter hook input priority 0; policy accept;
		iif lo accept
		ct state established,related accept
		icmpv6 type { nd-router-advert, nd-neighbor-advert, nd-neighbor-solicit} accept
		counter packets 87 bytes 17016 drop
	}
}
hugh@ASUS-BUNSENLABS:~$ 

... this looks better, is this the expected output?

then I ran following command to check if the .service has been started

hugh@ASUS-BUNSENLABS:~$ systemctl status nftables.service
● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; enabled)
   Active: active (exited) since Sat 2016-06-18 15:09:41 BST; 5min ago
     Docs: man:nft(8)
           http://wiki.nftables.org
  Process: 1655 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=0/SUCCESS)
 Main PID: 1655 (code=exited, status=0/SUCCESS)
hugh@ASUS-BUNSENLABS:~$ 

... again this looks better than before, does it look ok?

So does the last two commands indicate that the firewall is up and running now ? 

Is that the configuration completed?

Offline

#29 2016-06-18 14:44:17

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

hughparker1 wrote:

So does the last two commands indicate that the firewall is up and running now ? 

Is that the configuration completed?

Yes, that all looks good to me smile

You now have a "whitelist" firewall that only accepts connections you have created yourself or those related directly to them.

The IPv6 lines may not be needed for your system, you can try editing the file directly to comment them out -- just be sure to backup the file first!

As I say, I will investigate why the `sed` hack was needed; a bug report may be required here.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#30 2016-06-18 14:55:50

hughparker1
Member
Registered: 2016-05-05
Posts: 51

Re: Firewall for the lazy

Thanks for confirmation.

I'm not sure what to edit ref 'IPv6' (is it just a single line?) so I'll leave that if it's not doing any harm.

I have another old laptop (DELL Vostro 1520) with BunsenLabs on it, so later tonight I will use what I have learned and make up a list of the setup steps and checklist needed to set up the firewall and will let you know how I get on.

Once again many thanks for your patience, I do appreciate it.  The help on this forum is second to none, and BunsenLabs is an amazing distro. My 6 year old DELL Vostro is fitted with an SSD and boots up in 8 seconds and shuts down in 5 seconds. It's so fast now.

Last edited by Head_on_a_Stick (2016-06-18 15:01:57)

Offline

#31 2016-06-18 19:15:56

hughparker1
Member
Registered: 2016-05-05
Posts: 51

Re: Firewall for the lazy

I thought I would try to repeat above steps on my DELL Vostro, the install seemed to go ok, but I didn't get very far after that ....

hugh@DELL-VOSTRO-BUNSENLABS:~$ sudo apt-get install -t jessie-backports nftables
[sudo] password for hugh: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  libjansson4 libmxml1 libnftnl4
The following NEW packages will be installed:
  libjansson4 libmxml1 libnftnl4 nftables
0 upgraded, 4 newly installed, 0 to remove and 105 not upgraded.
Need to get 252 kB of archives.
After this operation, 927 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://httpredir.debian.org/debian/ jessie/main libjansson4 amd64 2.7-1+deb8u1 [34.1 kB]
Get:2 http://httpredir.debian.org/debian/ jessie/main libmxml1 amd64 2.6-2 [28.0 kB]                         
Get:3 http://httpredir.debian.org/debian/ jessie-backports/main libnftnl4 amd64 1.0.6-1~bpo8+1 [62.2 kB]
Get:4 http://httpredir.debian.org/debian/ jessie-backports/main nftables amd64 0.5+snapshot20160426-1~bpo8+1 [128 kB]
Fetched 252 kB in 0s (274 kB/s)   
Selecting previously unselected package libjansson4:amd64.
(Reading database ... 102328 files and directories currently installed.)
Preparing to unpack .../libjansson4_2.7-1+deb8u1_amd64.deb ...
Unpacking libjansson4:amd64 (2.7-1+deb8u1) ...
Selecting previously unselected package libmxml1.
Preparing to unpack .../libmxml1_2.6-2_amd64.deb ...
Unpacking libmxml1 (2.6-2) ...
Selecting previously unselected package libnftnl4:amd64.
Preparing to unpack .../libnftnl4_1.0.6-1~bpo8+1_amd64.deb ...
Unpacking libnftnl4:amd64 (1.0.6-1~bpo8+1) ...
Selecting previously unselected package nftables.
Preparing to unpack .../nftables_0.5+snapshot20160426-1~bpo8+1_amd64.deb ...
Unpacking nftables (0.5+snapshot20160426-1~bpo8+1) ...
Processing triggers for man-db (2.7.0.2-5) ...
Setting up libjansson4:amd64 (2.7-1+deb8u1) ...
Setting up libmxml1 (2.6-2) ...
Setting up libnftnl4:amd64 (1.0.6-1~bpo8+1) ...
Setting up nftables (0.5+snapshot20160426-1~bpo8+1) ...
Processing triggers for libc-bin (2.19-18+deb8u4) ...
hugh@DELL-VOSTRO-BUNSENLABS:~$
hugh@DELL-VOSTRO-BUNSENLABS:~$ sudo cp /usr/share/doc/nftables/examples/syntax/workstation /etc/nftables.conf
hugh@DELL-VOSTRO-BUNSENLABS:~$
hugh@DELL-VOSTRO-BUNSENLABS:~$ sudo systemctl start nftables
Job for nftables.service failed. See 'systemctl status nftables.service' and 'journalctl -xn' for details.
hugh@DELL-VOSTRO-BUNSENLABS:~$ 
hugh@DELL-VOSTRO-BUNSENLABS:~$ sudo systemctl enable nftables.service
Created symlink from /etc/systemd/system/multi-user.target.wants/nftables.service to /lib/systemd/system/nftables.service.
hugh@DELL-VOSTRO-BUNSENLABS:~$
hugh@DELL-VOSTRO-BUNSENLABS:~$ sudo sed -i 's/flush/#flush/' /etc/nftabes.conf
sed: can't read /etc/nftabes.conf: No such file or directory
hugh@DELL-VOSTRO-BUNSENLABS:~$
hugh@DELL-VOSTRO-BUNSENLABS:~$ sudo systemctl start nftables
Job for nftables.service failed. See 'systemctl status nftables.service' and 'journalctl -xn' for details.
hugh@DELL-VOSTRO-BUNSENLABS:~$ 
hugh@DELL-VOSTRO-BUNSENLABS:~$ sudo systemctl enable nftables
hugh@DELL-VOSTRO-BUNSENLABS:~$ 
hugh@DELL-VOSTRO-BUNSENLABS:~$ sudo sed -i 's/flush/#flush/' /etc/nftabes.conf
sed: can't read /etc/nftabes.conf: No such file or directory
hugh@DELL-VOSTRO-BUNSENLABS:~$ 

Not sure where I went wrong, can you advise? Sorry for troubling you again but not sure what the sequence of events should now be.

Offline

#32 2016-06-18 19:23:27

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

hughparker1 wrote:
hugh@DELL-VOSTRO-BUNSENLABS:~$ sudo sed -i 's/flush/#flush/' /etc/nftabes.conf
sed: can't read /etc/nftabes.conf: No such file or directory
hugh@DELL-VOSTRO-BUNSENLABS:~$

Typo -- you have put nftabes.conf, it should be nftables.conf

Let me check this on a live system...

EDIT: Reproduced in the live environment sad

I have updated the OP so that now lists all the required steps.

I must confess that I have no idea what is going on here, the Debian version of nftables won't accept `nft flush ruleset` as a command whereas this works just fine in my Arch system.

Last edited by Head_on_a_Stick (2016-06-18 19:32:39)


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#33 2016-06-18 19:48:24

hughparker1
Member
Registered: 2016-05-05
Posts: 51

Re: Firewall for the lazy

Head_on_a_Stick wrote:
hughparker1 wrote:
hugh@DELL-VOSTRO-BUNSENLABS:~$ sudo sed -i 's/flush/#flush/' /etc/nftabes.conf
sed: can't read /etc/nftabes.conf: No such file or directory
hugh@DELL-VOSTRO-BUNSENLABS:~$

Typo -- you have put nftabes.conf, it should be nftables.conf

Thanks for spotting that error.

Let me check this on a live system...

EDIT: Reproduced in the live environment sad

I have updated the OP so that now lists all the required steps.

I must confess that I have no idea what is going on here, the Debian version of nftables won't accept `nft flush ruleset` as a command whereas this works just fine in my Arch system.

I had a look at the OP and I see it now has four steps...
sudo apt-get install -t jessie-backports nftables
sudo cp /usr/share/doc/nftables/examples/syntax/workstation /etc/nftables.conf
sudo systemctl start nftables
sudo systemctl enable nftables

I get error when running 'sudo systemctl start nftables' should I run this first?

$ sudo sed -i 's/flush/#flush/' /etc/nftables.conf

Offline

#34 2016-06-18 19:49:32

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

hughparker1 wrote:

I had a look at the OP and I see it now has four steps...

Please look again, I think I was adding the fifth step while you posted wink

Sorry about all this, it's a bit of a mess  ops


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#35 2016-06-18 20:29:56

hughparker1
Member
Registered: 2016-05-05
Posts: 51

Re: Firewall for the lazy

Head_on_a_Stick wrote:
hughparker1 wrote:

I had a look at the OP and I see it now has four steps...

Please look again, I think I was adding the fifth step while you posted wink

Sorry about all this, it's a bit of a mess  ops

Thanks very much for helping me on this, I'm not very technical, but with your help I think I've set it up ok on my Dell Vostro as well...

here are my steps...

1. $ sudo apt-get install -t jessie-backports nftables

2. $ sudo cp /usr/share/doc/nftables/examples/syntax/workstation /etc/nftables.conf
   
3. $ sudo sed -i 's/flush/#flush/' /etc/nftables.conf
   
4. $ sudo systemctl start nftables

5. $ sudo systemctl enable nftables   
   
Then I ran two checks...

6. $ sudo nft list ruleset    # check if the rules have been applied after boot

hugh@DELL-VOSTRO-BUNSENLABS:~$ sudo nft list ruleset
table inet filter {
	chain input {
		type filter hook input priority 0; policy accept;
		iif lo accept
		ct state established,related accept
		icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert, nd-router-advert} accept
		counter packets 137 bytes 26724 drop
	}
}
hugh@DELL-VOSTRO-BUNSENLABS:~$

looks OK?

7. $ systemctl status nftables.service         # check if the .service has been started

hugh@DELL-VOSTRO-BUNSENLABS:~$ systemctl status nftables.service
● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; enabled)
   Active: active (exited) since Sat 2016-06-18 20:59:55 BST; 7min ago
     Docs: man:nft(8)
           http://wiki.nftables.org
 Main PID: 1312 (code=exited, status=0/SUCCESS)
hugh@DELL-VOSTRO-BUNSENLABS:~$ 

also looks OK?

I was wondering do I still need to run this command as well ...

  $ sudo systemctl enable nftables.service	## enable 'nftables.service' to start automatically

Offline

#36 2016-06-18 20:40:35

hughparker1
Member
Registered: 2016-05-05
Posts: 51

Re: Firewall for the lazy

I just rebooted laptop and both checks output look same as above

6. $ sudo nft list ruleset			# check if the rules have been applied after boot
7. $ systemctl status nftables.service 		# check if the .service has been started 

so maybe this command isn't necessary?

$ sudo systemctl enable nftables.service	## enable 'nftables.service' to start automatically

Offline

#37 2016-06-18 20:43:36

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

hughparker1 wrote:

so maybe this command isn't necessary?

$ sudo systemctl enable nftables.service	## enable 'nftables.service' to start automatically

It is only neccessary to run that command once and you already did that wink

As I said, use `systemctl list-unit-files | grep enabled` to check if it is enabled.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#38 2016-06-18 20:51:31

hughparker1
Member
Registered: 2016-05-05
Posts: 51

Re: Firewall for the lazy

Head_on_a_Stick wrote:
hughparker1 wrote:

so maybe this command isn't necessary?

$ sudo systemctl enable nftables.service	## enable 'nftables.service' to start automatically

It is only neccessary to run that command once and you already did that wink

you are right, I already ran this command earlier.

if I was doing this setup again, would I run this command after step 4. $ sudo systemctl start nftables
or after step 5?

As I said, use `systemctl list-unit-files | grep enabled` to check if it is enabled.

thanks I will use that for checking in future.

Offline

#39 2016-06-18 20:52:48

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

hughparker1 wrote:

if I was doing this setup again, would I run this command after step 4. $ sudo systemctl start nftables
or after step 5?

For that particular command, the order doesn't really matter because it does not take effect until the next bootup.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#40 2016-06-18 20:55:18

hughparker1
Member
Registered: 2016-05-05
Posts: 51

Re: Firewall for the lazy

Thanks for all your help. I am learning more each day with your great feedback.

Offline

#41 2016-06-18 21:13:16

hughparker1
Member
Registered: 2016-05-05
Posts: 51

Re: Firewall for the lazy

Head_on_a_Stick wrote:
hughparker1 wrote:

if I was doing this setup again, would I run this command after step 4. $ sudo systemctl start nftables
or after step 5?

For that particular command, the order doesn't really matter because it does not take effect until the next bootup.

Just one last question...
Do I need to run this command as part of a new setup of nftables?

$ sudo systemctl enable nftables.service	## enable 'nftables.service' to start automatically

If this step was missed would it cause a problem on reboot?

Last edited by hughparker1 (2016-06-18 21:15:09)

Offline

#42 2016-06-18 21:15:15

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

^ If that step was missed then nftables.service would *not* start at boot afterwards.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#43 2016-06-18 21:16:31

hughparker1
Member
Registered: 2016-05-05
Posts: 51

Re: Firewall for the lazy

Head_on_a_Stick wrote:

^ If that step was missed then nftables.service would *not* start at boot afterwards.

OK I thought so, but wans't 100% sure. Thanks.

Offline

#44 2016-06-19 12:24:15

tynman
Member
Registered: 2015-10-13
Posts: 82

Re: Firewall for the lazy

FWIW, the problem with the "flush ruleset" command in the nftables.conf file is fixed in the next release of nftables (v0.6), which is the version packaged with Debian testing/Stretch.

Ben

Offline

#45 2016-06-19 12:27:28

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

Thanks Ben!

I presume you mean version 0.6-2?
https://www.archlinux.org/packages/extr … /nftables/

jessie-backports already has 0.6-1:
https://packages.debian.org/search?keyw … ection=all


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#46 2016-06-19 18:21:15

tynman
Member
Registered: 2015-10-13
Posts: 82

Re: Firewall for the lazy

Hmm, no.

In my BL-Debian testing/Stretch box, apt-cache policy reports I have

Installed: nftables 0.6-1

No problem with the flush statement.


On my Debian stable/Jessie box, apt-cache policy reports I have

Installed: 0.5+snapshot20160426-1~bpo8+1

On this one, I had to delete the flush statement from the nftables.conf file.


I haven't tried the Jessie-backports version. The apt-cache policy command says the version of nftables in Jessie-backports is

0.6-1~bpo8+1

if I'm reading it correctly.


So...

  • Debian Jessie                -  nftables 0.5+snapshot20160426-1~bpo8+1 - problem exists (my experience)

  • Debian Jessie-backports - nftables 0.6-1~bpo8+1                             - problem exists (per hughparker1's experience)

  • Debia Stretch               - nftables 0.6-1                                         - problem is fixed (my experience)

Ben

Offline

#47 2016-06-20 00:48:56

tynman
Member
Registered: 2015-10-13
Posts: 82

Re: Firewall for the lazy

This page https://bugs.debian.org/cgi-bin/bugrepo … bug=775705 suggests the problem affects kernels prior to release 3.18. It also suggests the problem is too minor to worry about. Well OK. if you put it that way.

Anyway. that's consistent with what I have seen on my two workstations. My Debian Jessie/stable box (flush ruleset fails) has kernel 3.16.0, while my BL-Debian Stretch/testing box (flush ruleset works OK) has 4.5.0. So maybe it's not related to the release of nftables after all. Go figure.

Ben

Offline

#48 2016-06-20 06:34:19

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

tynman wrote:

This page https://bugs.debian.org/cgi-bin/bugrepo … bug=775705 suggests the problem affects kernels prior to release 3.18

That's it!

I am now in my BL system and look:

empty@TheLab ~ % sudo nft list ruleset
table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
                iif lo accept
                ct state established,related accept
                icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} accept
                counter packets 3 bytes 380 drop
        }
}
empty@TheLab ~ % sudo nft flush ruleset
empty@TheLab ~ % sudo nft list ruleset 
empty@TheLab ~ % uname -a
Linux TheLab 4.5.0-0.bpo.2-amd64 #1 SMP Debian 4.5.4-1~bpo8+1 (2016-05-13) x86_64 GNU/Linux

The system I was testing yesterday used the stock kernel roll

Thank you very much!
smile


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#49 2016-07-03 19:55:00

martix
Kim Jong-un Stunt Double
Registered: 2016-02-19
Posts: 1,267

Re: Firewall for the lazy

I'm just wondering: Does this looks all right?

nft list ruleset
table inet filter {
	chain input {
		type filter hook input priority 0; policy accept;
	}

	chain forward {
		type filter hook forward priority 0; policy accept;
	}

	chain output {
		type filter hook output priority 0; policy accept;
	}
}

Somehow it's different to the result I had before and I'm just not sure why.

Offline

#50 2016-07-03 20:38:25

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Firewall for the lazy

Hey martix smile

martix wrote:

Does this looks all right?

No, the package has changed the stock configuration file so there is an extra step required now:

sudo cp /usr/share/doc/nftables/examples/syntax/workstation /etc/nftables.conf

Then restart the .service:

sudo systemctl restart nftables.service

“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

Board footer

Powered by FluxBB