A real Linux
for phones
and other mobile devices
A real Linux distribution for phones
and other mobile devices
For Linux enthusiasts
Latest news: The Road to systemd

Enabling of Firewall in new/existing installations

June 14, 2021 1 min. read

postmarketOS now includes default configuration for a firewall using nftables. The firewall is enabled on boot, but will only succeed on devices that have kernels with nftables support compiled in. All "main" and most "community" devices have this kernel configuration set. Other devices with recent (>3.12) kernels need additional configuration to support nftables, see the wiki for more information on configuring the kernel. nftables is not supported on kernels older than 3.13.

Since the nftables service is set to start on boot regardless of whether the kernel supports nftables, the firewall will be activated automatically later on if the device's kernel receives an update that enables nftables support.

Configuration of nftables is flexible. If the default rules are too restrictive for your use case, then additional rules can be specified in /etc/nftables.d. See the wiki section on Usage for more information on configuring additional rules.

A list of the default rules enabled for the firewall, along with some information about basic usage, verifying startup, etc can be viewed here on the wiki: https://postmarketos.org/firewall

The firewall configuration was implemented in the following merge requests: