Hmm. Point taken. Probably for sympl you want to set it to sympl. I have one system using root and another using my login. The solution depends on what you want to do. There is no real answer for everyone.
Looking through the instructions, there are too many lumps and 'if’s. It’s a couple of years since I installed it and the document we made as a straightforward walkthrough is now a 404 error as far as I can make out
Frankly, I have bottled out. I’ll stick with the Sympl default firewall. Yours is almost certainly better, but not idiot-proof enough for me.
The document was for manual installation. The preferred way now is to use the Debian package - which does all the stuff. However, it’s your machine.
If the package install does all that is needed, it would be a huge help if the docs said so.
Hmm. Well I think that para 3 of the GitHub ‘front’ page is pretty explanatory. Of course things can always be improved.
That paragraph leaves me puzzled. If I follow it, I am sent to various different sections or documents, and it’s not really clear where to return to.
Assume that I am installing on a Sympl system. It says I have to switch to.the modern sort of firewall (could that be automated?)
Then there’s a section about what to do If you have a running firewall. Not sure whether I can ignore that.
Then there a bit about converting from Sympl or Symbiosis, which would ideally be automated.
But I decided to give it a try. I successfully switched to the modern firewall and tried installing the debian pckage:
``$ sudo dpkg -i nftfw_0.9.13-1_all.deb
dpkg-deb: error: ‘nftfw_0.9.13-1_all.deb’ is not a Debian format archive
dpkg: error processing archive nftfw_0.9.13-1_all.deb (–install):
dpkg-deb --control subprocess returned error exit status 2
Errors were encountered while processing:
nftfw_0.9.13-1_all.deb``
dpkg doesn’t install dependencies and may complain and stop. If this happens run:
$ sudo apt-get --fix-broken install
which will install the dependencies and then install nftfw.
sudo dpkg -i nftfw_0.9.13-1_all.deb
dpkg-deb: error: ‘nftfw_0.9.13-1_all.deb’ is not a Debian format archive
dpkg: error processing archive nftfw_0.9.13-1_all.deb (–install):
dpkg-deb --control subprocess returned error exit status 2
Errors were encountered while processing:
nftfw_0.9.13-1_all.deb
$ sudo apt-get --fix-broken install
Reading package lists… Done
Building dependency tree… Done
Reading state information… Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Hmm. Sorry I misread your posting. I think that it’s possible that you have an appropriately named file but with inappropriate contents. This should tell you what you have downloaded:
$ file nftfw_0.9.13-1_all.deb
nftfw_0.9.13-1_all.deb: Debian binary package (format 2.0), with control.tar.xz, data compression xzThen
$ dpkg-deb --info nftfw_0.9.13-1_all.debshould also give you lots of information about the package.
I’ve pulled both the file and the nftfw_currrent.zip file from Github and they all check out. I’ve installed one of them on a test machine.
Getting the files from GitHub turns out to be more complicated than intuitive:
- Click into the packages folder
- Click on nftfw_current.zip
- Click on the ‘Download’ button on this page.
I hope that this assists.
I think that must be the problem. I simply used wget to fetch it from and to the server. Perhaps that just got me a web page. I’ll download it to my laptop, then upload to the server.
It’s a couple of years since you suggested including this in Sympl, as well as maybe making Borg the backup system.
I realise that life rarely goes according to plan, but making both of these changes part of mainstream Sympl would seem like a really good idea.
Replacing the firewall system wholesale is a huge amount of work and testing, and there needs to be complete feature parity and config support even for the odd edge cases, as the last thing you want is a firewall config that breaks itself with an automatic update.
Similarly, integrating Borg backup would be nice, but backup2l was chosen specifically as the backups are simply tar.gz files and have no requirements of the target filesystem, so if the worst happens, you can still extract the backups, and again, you don’t want to apply a security update which renders peoples old backups useless.
These are nice-to-haves, but both require significant development, but maintaining Sympl isn’t my full-time job, and there are more important functionality (sympl-dns, and an update to sympl-ssl for example) which are more important going forward.
1 Like
I have been using nftfw for a year on a Bitnami stack on gcloud. I chose it because I thought it integrated my firewall requirements well. These include blacklisting using GeoCountry and various blacklist providers, website and email hack monitoring and prevention, and strong server firewall protection. I am now planning to migrate the Debian 10 Cloud instance to a Debian 11 build on a server at home (since I now have full fibre Internet). I have built the Sympl system on this and was thinking of using the nftfw firewall.
BUT, if I do, will I have issues with the Sympl and Debian auto updating and be forever spending time maintaining the nftfw system as well as having downtime on a live system?
I need to know what are the advantages of nftfw over the standard sympl firewall, and can the Sympl Firewall be modified to include any omissions or improvements (albeit at the risk of maintaining such changes myself).
Footnote:
I am trying to make my websites (which have been running since 1996 in many guises with increasing complexity) more easily maintained and rebuilt the next time there is a major upgrade (Debian 12 and PHP 8 etc). As you might guess such an old website has had a lot of re-organisation whilst trying to maintain historical links to pages on it. The website houses many services and access control systems.
I was running nftfw for a year or two with no hassles. When I started afresh with a new system I wanted to keep it vanilla sympl, but as the thread above shows, that requires comromises, so I think I’ll switch to nftfw (and borg) when time permits.
I have discussed this with Peter Collinson who created nftfw and have installed nftfw on my Sympl system with all of Peter’s mail enhancements. As yet I have not moved all the systems to the Debian 11 server or made the switch to going live on it.
It seems the Debian and Sympl communities are dragging their feet adopting nft as the prefered firewall. I will still take the risk that they will see the light. Until then nft users should lobby the communities to make the switch to nft.
there are more important functionality (
sympl-dns, and an update tosympl-sslfor example) which are more important going forward.
And I’d add a pi4 image of sympl for bullseye to the list. There used to be one, then suddenly there wasn’t.
It’s three or four months later. Is there any progress?
Mythic Beasts moved to a different system for building Debian packages, and while the normal amd64 ones are okay, it seems the RPi ones arent being built as they should be.
It’s on the list to look at, however…
1 Like
I’m a bit puzzled by “Exim - ch11” on GitHub - pcollinson/sympl-email-changes: Changes to the sympl exim4 settings to improve firewall feedback
It’s not clear to me which file to amend, or how. Did something get missed off?
The edit is a sed script in Install.sh that changes 00-main/50-tls-options. I think this change made it into the standard release at some point so was no longer really needed.
I think it’s still log_selector = +tls_sni …
I was going to say edits still required but sympl 11 sudo exim -bP macros shows;
_LOG_SMTP_PROTOCOL_ERROR=y
_LOG_INCOMING_INTERFACE=y
_LOG_SMTP_MAILAUTH=y
So, it looks like you were exactly right and this post is a waste of time 
(unless redefining the macros [via ==] changes play & the need to change any version of sympl’s 50-tls-options disappears).