Skip to content

Firewall open port

Jump to bottom
Sven Putze edited this page Mar 4, 2020 · 1 revision

Project Trident Website

Table of Contents

Wiki Home

General Information

Terminal-based Configuration

Graphical Configuration

ZFS References

General How-To's

Clone this wiki locally

Warning

These instructions only work for a release > 20.02. For an older release you can manually copy the files from the Trident core Repository to the folder /etc/firewall-conf/ and follow the instructions given.

Firewall basics

After a fresh install of Project Trident there is an active firewall configured that enables any outgoing network traffic but denies any incoming traffic. That's a safe point to start from, but maybe you want to ssh into your machine, so at least one port must be opened up.

Nftables is used as the firewall and the default firewall settings are configured in the file /etc/firewall-conf/open-out.conf. Do not make any changes here, this file may well be overwritten with future updates!

But from inside this file all custom-*.conf files in the same directory are included. There also is a sample file to get you started.

Before those files are included,

  • all existing rules are flushed
  • a new table filter is created
  • a new chain input is created and hooked into the netfilter infrastructure for incoming network traffic

In this context your own rules can be added to a custom-*.conf file.

To open a port you basically add a line with the command

add rule inet filter input <prot> dport <port> accept
          ^     ^      ^      ^           ^
          |     |      |      |           |
          |     |      |      |      port to open
          |     |      |    protocol                
          |     |      |           
          |     |     chain
          |   table
       family

Example

add rule inet filter input tcp dport 22 accept

This translates to add a rule for the inet family to the table filter in the input chain to accept connections to port 22 with protocol tcp.

Work with the sample file

  • Become root

    sudo su -

  • Copy the sample file

    cd /etc/firewall-conf
cp custom-input.conf.sample custom-input.conf

  • Edit the copied file. As an example the hash before the line that opens port 22 for ssh is removed. Of course you can use the editor of your choice in doing so.

    sed -i e 's/#add rule inet filter input tcp dport 22 accept/add rule inet filter input tcp dport 22 accept/g' custom-input.conf
# show the result
grep --after-context=1 'ssh' custom-input.conf

  • Restart the firewall

    sv restart nftables

That's it.

If you want to open other ports, simply copy one ore more of the sample lines and change protocol and/or port.

More information about nftables

Have a look at the nftables Wiki.

Quick Links