Firewall
This page is an extension of the firewall overview page of the user's guide.
It describes with more details how to manage and configure the firewall:
- Disable firewall over reboot
- Modify the firewall rules and persist the rules
We will not describe how nftable work since there is a lot of documentation available on internet but rather describe how they are integrated in the LORIX OS and how they can be managed from a system point of view.
Enable and disable firewall (persistent)
As described in the user's guide, the firewall service can be started and stopped for the current session.
Starting and stopping a service is however not really considered as "enabling/disabling" the service since it's just a temporary state.
On next reboot, the service will start as usual even if it has been stopped during the last session.
Starting or stopping a service doesn't make this action persistent over a reboot.
If you want to learn more about the "start/stop vs enable/disable" concept, please consult the more advanced service management documentation.
As a shortcut, the following section describes how to enable and disable the firewall over reboot, as a persistent state.
Enable the firewall at boot
The firewall is already configured to run at boot by default on the LORIX OS but if you have disabled this service, you can enable it again using the following command:
Enable the firewall at boot
sudo rc-update add nftables defaultResult
lorix-one-aabbcc:~$ sudo rc-update add nftables default
* service nftables added to runlevel defaultEnable is not start
Please note that enabling the service (start at boot) will not make it immediately start. You still need to run the command sudo rc-service <service> start.
Disable the firewall at boot
You can avoid starting the firewall at boot with the following command:
Disable the firewall at boot
sudo rc-update del nftables defaultResult
lorix-one-aabbcc:~$ sudo rc-update del nftables default
* service nftables removed from runlevel defaultDisable is not stop
Please note that disabling the service (no start at boot) will not make it immediately stop. You still need to run the command sudo rc-service <service> stop.
Configure the firewall
The nftables rules are stored in the conf files in /etc/nftables/ and /etc/nftables/conf.d/ directories. When the firewall service is started, the nftables application is loaded with the rules from these files.
Enable pre-installed rules
Some common rules enabled by default and some additional rules installed by additional software are available in /etc/nftables/available. The enabled rules reside in the /etc/nftables/conf.d/ directory.
To enable any of the available rule, you can create a symbolic link in the conf.d directory pointing to the file in the available directory:
Enable an existing rule
sudo ln -sf /etc/nftables/available/snmp.conf /etc/nftables/conf.d/30-snmp.conf$ tree /etc/nftables/
/etc/nftables/
|-- available
| |-- http.conf
| |-- snmp.conf
| `-- ssh.conf
|-- conf.d
| |-- 10-ssh.conf -> /etc/nftables/available/ssh.conf
| |-- 20-http.conf -> /etc/nftables/available/http.conf
| `-- 30-snmp.conf -> /etc/nftables/available/snmp.conf
|-- nftables.conf
|-- osf
| `-- pf.os
`-- ping.confReload the rules to make it effective.
Create new rules
You can create new rules by creating new files in the /etc/nftables/conf.d/ directory. Please refer to the nftables documentation : https://www.netfilter.org/projects/nftables/manpage.html.
As a simple start, use this template to add your rules to the input chain :
table inet filter {
chain input {
# Your rules go here
}
}You can also create your own table and chains if needed.
Reload the rules
The make the new rules effective, you can either restart the gateway, or simply run the following command:
Load the rules
sudo rc-service nftables reloadResult
lorix-one-aabbcc:~$ sudo rc-service nftables reload
nftables | * Flushing firewall ... [ ok ]
nftables | * Loading nftables state and starting firewall ... [ ok ]The new rules then apply. If there are some errors in the rules, there will be shown at this time and the new rules will not be applied.