Firewall

postmarketOS edge and v21.06 or higher have configured if the device's kernel has support for it.

Default rules
The following rules are enabled by default:


 * Allow incoming SSH on USB networking and WiFi interfaces
 * Allow incoming DHCP requests on USB networking interface
 * Without this, USB networking requires assigning a static IP address manually on the host, so this is included for convenience.


 * Deny all incoming connections on wwan (cell data network)
 * The assumption is no incoming connection on this network, which is owned/managed by cell carriers, should be trusted. Users aren't able to connect to their devices on this interface over the cell network.


 * Allow all outgoing connections on all interfaces

Check if it is running
Firewall service status can be viewed by querying openrc: If the status is not, the kernel may not have support for nftables (see ).

The currently loaded set of rules can be viewed with:

Usage
The  openrc init script controls loading the firewall on boot. This service can be disabled to disable the firewall, or enabled to re-enable it:

Additional rules can be added in. The following packages are available in pmaports to add additional rules/functionality:


 * Adds rule to allow all incoming connections over the USB networking interface, useful for debugging pmOS, but not recommended for normal use.
 * Adds rule to allow all incoming connections over the USB networking interface, useful for debugging pmOS, but not recommended for normal use.


 * Adds rules to enable logging of incoming and dropped connections to the firewall, useful for debugging firewall-related connection issues. This may generate a lot of messages in syslog.
 * Adds rules to enable logging of incoming and dropped connections to the firewall, useful for debugging firewall-related connection issues. This may generate a lot of messages in syslog.

Configuring the kernel to support nftables

 * Run  to get a list of kernel config options that need to be changed
 * Fix them up with
 * Add  to   in your kernel's APKBUILD
 * Create a test install with
 * Boot it and verify that the firewall works
 * Create a merge request to pmaports.git with your changes

Contributing your nftable rules
A key goal of postmarketOS is to be polished. As such, if you install a package and it doesnt work without changing the nftables, you should contribute your nftables to pmaports. Contributing will make it easier to install the package on your other computers and help other postmarketOS users.

If your package is not part of the default install, you probably dont want to enable the rule for users that have not installed the package. As such, you can use  in the nftable subpackage to only install the nftable if   is installed on the user's machine. For more information about, install the   package and read.

Examples of custom nftables:


 * docker https://gitlab.com/postmarketOS/pmaports/-/merge_requests/2629
 * mosh https://gitlab.com/postmarketOS/pmaports/-/merge_requests/2725

Also see:


 * postmarketos-config-nftables https://gitlab.com/postmarketOS/pmaports/-/blob/master/main/postmarketos-config-nftables/APKBUILD