Firewall for the lazy

Head_on_a_Stick · 2016-04-23 17:31:12

Interested in firewalls but confused by their implementation?

Too lazy to learn how to use the backends?

Are the GUI front ends still too fiddly for you?

Good! Me too

Try this:

sudo apt-get install -t jessie-backports nftables linux-image-amd64 # instructions here: https://wiki.debian.org/Backports
sudo cp /usr/share/doc/nftables/examples/syntax/workstation /etc/nftables.conf # "workstation" is a whitelist firewall, other examples available
sudo systemctl start nftables
sudo systemctl enable nftables

Check with:

sudo nft list ruleset

See nft(8)

Alternative configurations are available in /usr/share/doc/nftables/examples/syntax

More here:
https://wiki.archlinux.org/index.php/Nftables

EDIT: Added step to copy the "workstation" ruleset from the examples to /etc/nftables.conf
EDIT2: And `sed` to remove the `flush ruleset` line.
EDIT3: Need to run the backported kernel, thanks tynman!

Last edited by Head_on_a_Stick (2016-06-20 06:36:05)

Head_on_a_Stick · 2016-04-24 09:59:51

twoion wrote:

nft doesn't have a default configuration…you'd still need to configure the backend!

The package supplies a default /etc/nftables.conf that is parsed by nftables.service

empty@Arch ~ % sudo nft list ruleset
[sudo] password for empty: 
table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
                ct state { related, established} accept 
                ct state invalid drop 
                iifname "lo" accept 
                ip protocol icmp accept 
                ip6 nexthdr ipv6-icmp accept 
                tcp dport ssh accept 
                meta nfproto ipv4 reject 
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
                drop 
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}

The ruleset is slightly different in Debian but it is still applied automagically using the "filter" example from /usr/share/doc/nftables/examples

martix · 2016-05-02 22:38:25

Somehow "apt-get install -t jessie-backports nftables" does not work for me: "Unable to locate package nftables". Is it only me? (It's also the same without backports).

Head_on_a_Stick · 2016-05-02 22:41:22

martix wrote:

"Unable to locate package nftables"

Please post the *full* error message.

Please also post the output of:

apt-cache policy nftables
grep -R backports /etc/apt/sources.list{,.d/*}

I will be AFK for the next ~7 hours.

Sector11 · 2016-05-02 23:14:19

Aaaaaaaaaaa you do sleep.

damo · 2016-05-02 23:19:56

martix wrote:

Somehow "apt-get install -t jessie-backports nftables" does not work for me: "Unable to locate package nftables". Is it only me? (It's also the same without backports).

Sources - sources.list and backports details

Is jessie-backports enabled? Because nftables is definitely in that repository.

martix · 2016-05-02 23:39:48

Here are some outputs:

apt-cache policy nftables
N: Unable to locate package nftables

grep -R backports /etc/apt/sources.list{,.d/*}
/etc/apt/sources.list.d/bunsen-jessie-backports.list:# BunsenLabs backports
/etc/apt/sources.list.d/bunsen-jessie-backports.list:deb http://pkg.bunsenlabs.org/debian jessie-backports main

Is there anything I could correct?

damo · 2016-05-02 23:45:35

martix wrote:

...
Is there anything I could correct?

If you read the Sticky thread I linked to, you should see that you don't have 'contrib' or 'non-free' in your jessie-backports. Add them after 'main' and update your sources, then try the install again.

martix · 2016-05-03 00:14:17

Indeed, cheers, debian-jessie-backports.list was missing. After creating it, nftables installed without issues.

Head_on_a_Stick · 2016-05-03 06:23:47

Please mark the thread [SOLVED]

No, wait a minute...

8o

Sector11 wrote:

you do sleep

I was just resting my eyes

martix · 2016-05-03 14:41:19

There is a bug report on Debian about nftables: https://bugs.debian.org/cgi-bin/bugrepo … bug=804648

However it seems that it's not really a bug. I found that page because I also received the message "nftables Default-Start contains no runlevels, aborting." - just like in the thread described. After restart and "systemctl status nftables" it shows:

nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; enabled)
   Active: active (exited) since Tue 2016-05-03 15:02:51 IST; 21min ago
     Docs: man:nft(8)
           http://wiki.nftables.org
  Process: 931 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=0/SUCCESS)
 Main PID: 931 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/nftables.service

Is that all for the needs of an average user? At least that's how I understand it: "The shipped configuration is a secure one: a white-list type firewall, which drop all connections unless stated otherwise. It's intended for a simple workstation."

Head_on_a_Stick · 2016-05-03 18:01:40

martix wrote:

Is that all for the needs of an average user? At least that's how I understand it: "The shipped configuration is a secure one: a white-list type firewall, which drop all connections unless stated otherwise. It's intended for a simple workstation."

Yes, that is correct -- I use the exact same firewall on my devices

You can check if the rules have been applied with:

sudo nft list ruleset

The syntax of the rules is more streamlined and far easier to understand than iptables (IMO) and it offers a combined ip/ip6/arp/ebtables framework.

It's also cooler than iptables, the firewall runs in a virtual machine within the kernel and it's faster and more powerful than the old filter.

https://en.wikipedia.org/wiki/Nftables

martix · 2016-05-03 19:50:23

It looks good. It surely also has a learning curve. On default I get the following:

table inet filter {
	chain input {
		type filter hook input priority 0; policy accept;
		iif lo accept 
		ct state established,related accept 
		ip6 nexthdr ipv6-icmp icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} accept 
		counter packets 0 bytes 0 drop 
	}
}

Head_on_a_Stick · 2016-05-03 20:24:49

^ Yes, your firewall is up 8)

martix · 2016-05-04 15:30:53

Head_on_a_Stick wrote:

^ Yes, your firewall is up 8)

Which firewall would you recommend for a noob: nftables or gufw?

Head_on_a_Stick · 2016-05-04 17:23:04

I've never tried gufw so I can offer no comparison.

Why not try them for yourself?

martix · 2016-05-04 23:24:48

Head_on_a_Stick wrote:

I've never tried gufw so I can offer no comparison.
Why not try them for yourself?

Sort of tried both. Unfortunately I lack of knowledge to give any reasonable opinion. I noticed that nftables blocks tor bundle traffic on default. As for gufw I liked the simplicity and the icon they provide. Otherwise I cannot tell anything, firewall configuration is a little science for itself anyway.

Head_on_a_Stick · 2016-05-05 06:25:35

I would say that if you have a specific requirement then it is probably better to invest time learning the underlying framework rather than learning to use an abstracted interface to that framework (such as gufw).

hughparker1 · 2016-06-17 12:30:20

Head_on_a_Stick wrote:

Interested in firewalls but confused by their implementation?
Try this:
sudo apt-get install -t jessie-backports nftables # instructions here: https://wiki.debian.org/Backports
sudo systemctl start nftables
sudo systemctl enable nftables
Check with:
sudo nft list ruleset
See nft(8)
Alternative configurations are available in /usr/share/doc/nftables/examples
More here:
https://wiki.archlinux.org/index.php/Nftables

I have been using BunsenLabs for a few weeks now and it's the fastest distro I have tried by miles. So very happy with the performance on my 6 year old DELL Vostro 1520 and Asus Eee-box EB1501P. Both now have SSDs and boot in 10 seconds which is great.

I tried to enable firewall but found gufw is not installed, then I found your instructions to install nftables so I thought I would give it a go...

Looks like installation completed ok....

hugh@ASUS-BUNSENLABS:~$ sudo apt-get install -t jessie-backports nftables
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  libjansson4 libmxml1 libnftnl4
The following NEW packages will be installed:
  libjansson4 libmxml1 libnftnl4 nftables
0 upgraded, 4 newly installed, 0 to remove and 102 not upgraded.
Need to get 252 kB of archives.
After this operation, 927 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://httpredir.debian.org/debian/ jessie/main libmxml1 amd64 2.6-2 [28.0 kB]
Get:2 http://httpredir.debian.org/debian/ jessie-backports/main nftables amd64 0.5+snapshot20160426-1~bpo8+1 [128 kB]
Get:3 http://httpredir.debian.org/debian/ jessie/main libjansson4 amd64 2.7-1+deb8u1 [34.1 kB]
Get:4 http://httpredir.debian.org/debian/ jessie-backports/main libnftnl4 amd64 1.0.6-1~bpo8+1 [62.2 kB]
Fetched 252 kB in 0s (366 kB/s)                                                               
Selecting previously unselected package libjansson4:amd64.
(Reading database ... 102328 files and directories currently installed.)
Preparing to unpack .../libjansson4_2.7-1+deb8u1_amd64.deb ...
Unpacking libjansson4:amd64 (2.7-1+deb8u1) ...
Selecting previously unselected package libmxml1.
Preparing to unpack .../libmxml1_2.6-2_amd64.deb ...
Unpacking libmxml1 (2.6-2) ...
Selecting previously unselected package libnftnl4:amd64.
Preparing to unpack .../libnftnl4_1.0.6-1~bpo8+1_amd64.deb ...
Unpacking libnftnl4:amd64 (1.0.6-1~bpo8+1) ...
Selecting previously unselected package nftables.
Preparing to unpack .../nftables_0.5+snapshot20160426-1~bpo8+1_amd64.deb ...
Unpacking nftables (0.5+snapshot20160426-1~bpo8+1) ...
Processing triggers for man-db (2.7.0.2-5) ...
Setting up libjansson4:amd64 (2.7-1+deb8u1) ...
Setting up libmxml1 (2.6-2) ...
Setting up libnftnl4:amd64 (1.0.6-1~bpo8+1) ...
Setting up nftables (0.5+snapshot20160426-1~bpo8+1) ...
Processing triggers for libc-bin (2.19-18+deb8u4) ...
hugh@ASUS-BUNSENLABS:~$

but when I tied to startnftables, I got a 'nftables.service failed' message...

hugh@ASUS-BUNSENLABS:~$ sudo systemctl start nftables
Job for nftables.service failed. See 'systemctl status nftables.service' and 'journalctl -xn' for details.
hugh@ASUS-BUNSENLABS:~$

I entered the commands suggested above in terminal ...

hugh@ASUS-BUNSENLABS:~$ systemctl status nftables.service
● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; disabled)
   Active: failed (Result: exit-code) since Fri 2016-06-17 12:58:59 BST; 23min ago
     Docs: man:nft(8)
           http://wiki.nftables.org
  Process: 2466 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=1/FAILURE)
 Main PID: 2466 (code=exited, status=1/FAILURE)
hugh@ASUS-BUNSENLABS:~$

hugh@ASUS-BUNSENLABS:~$ journalctl -xn
No journal files were found.
hugh@ASUS-BUNSENLABS:~$

But I don't have a technical background so not sure what the information means, and I couldn't find any hits on google that would identify the cause of the failed message. Any idea what went wrong?

Head_on_a_Stick · 2016-06-17 19:38:31

hughparker1 wrote:

hugh@ASUS-BUNSENLABS:~$ journalctl -xn
No journal files were found.
hugh@ASUS-BUNSENLABS:~$

Try:

sudo journalctl -xn

You will have to provoke the error again first.

Does nftabes.service start successfully during bootup or does it fail then too?

I have just tried this in my BL system and everything works as expected.

However, the default /etc/nftables.conf has changed from a whitelist firewall to a completely open ruleset.

To get back the default-deny rules, use:

sudo cp /usr/share/doc/nftables/examples/syntax/workstation /etc/nftables.conf

Check the rules have been applied with `sudo nft list ruleset`

#1 2016-04-23 17:31:12

Firewall for the lazy

#2 2016-04-24 09:59:51

Re: Firewall for the lazy

#3 2016-05-02 22:38:25

Re: Firewall for the lazy

#4 2016-05-02 22:41:22

Re: Firewall for the lazy

#5 2016-05-02 23:14:19

Re: Firewall for the lazy

#6 2016-05-02 23:19:56

Re: Firewall for the lazy

#7 2016-05-02 23:39:48

Re: Firewall for the lazy

#8 2016-05-02 23:45:35

Re: Firewall for the lazy

#9 2016-05-03 00:14:17

Re: Firewall for the lazy

#10 2016-05-03 06:23:47

Re: Firewall for the lazy

#11 2016-05-03 14:41:19

Re: Firewall for the lazy

#12 2016-05-03 18:01:40

Re: Firewall for the lazy

#13 2016-05-03 19:50:23

Re: Firewall for the lazy

#14 2016-05-03 20:24:49

Re: Firewall for the lazy

#15 2016-05-04 15:30:53

Re: Firewall for the lazy

#16 2016-05-04 17:23:04

Re: Firewall for the lazy

#17 2016-05-04 23:24:48

Re: Firewall for the lazy

#18 2016-05-05 06:25:35

Re: Firewall for the lazy

#19 2016-06-17 12:30:20

Re: Firewall for the lazy

#20 2016-06-17 19:38:31

Re: Firewall for the lazy

Board footer