postmarketOS now includes default configuration for a firewall using nftables. The firewall is enabled on boot, but will only succeed on devices that have kernels with nftables support compiled in. All "main" and most "community" devices have this kernel configuration set. Other devices with recent (>3.12) kernels need additional configuration to support nftables, see the wiki for more information on configuring the kernel. nftables is not supported on kernels older than 3.13.
Since the nftables service is set to start on boot regardless of whether the kernel supports nftables, the firewall will be activated automatically later on if the device's kernel receives an update that enables nftables support.
Configuration of nftables is flexible. If the default rules are too restrictive
for your use case, then additional rules can be specified in
See the wiki section on Usage for more
information on configuring additional rules.
A list of the default rules enabled for the firewall, along with some information about basic usage, verifying startup, etc can be viewed here on the wiki: https://postmarketos.org/firewall
The firewall configuration was implemented in the following merge requests: