How to disable firewall rule sync to prevent a open firewall after reboot

OS Name/Version: Debian GNU/Linux 10 (buster)

Product Name/Version: AMP Release “Triton” v2.3.2.4, built 22/02/2022 10:57

Problem Description:

After a reboot amp overwrites nftable rules from /etc/nftable.conf

Steps to reproduce:

  • nft -f /etc/nftable.con
  • nft list ruleset
  • reboot
  • nft list ruleset

Actions taken to resolve so far:

disabled and removed ampfirewall.service and ampfirewall.timer
Also removed service files /etc/systemd/system/ampfirewall.*

How to disable the firewall sync?

Turn off the settings in AMP itself to allow instances through the firewall, and exclude all your instances from the firewall in their settings.

Hi Mike,

thanks for your reply, i already excluded all instances from the firewall and also removed the updatefirewall line from /etc/ampinstmgr.conf.
But it keeps overwriting my INPUT chain with

table ip filter {
        chain INPUT {
                type filter hook input priority 0; policy accept;
                meta l4proto tcp tcp dport 8080 counter packets 29 bytes 2216 accept comment "AMP Management Instance"

Hmm - if you’ve already disabled the AMPFirewall service and removed the service files it shouldn’t be happening any more (although updating AMP will put those files back) . I suspect there’s a bug with the NFT firewall sync which is making it remove stuff it shouldn’t. It’s only supposed to add/remove rules rather than replacing the entire chain.

Are you able to switch over to UFW for the time being?

Edit: I just took a quick look, it’s definitely just using add rule and delete rule rather than replacing any chains entirely so I’m not sure what’s going on there.

Nevermind :man_facepalming:
somehow i forgot to remove iptables and nftables restore iptable rules on startup(i think or its something else)
I thought it was amp becaues only the 8080 port for amp was inside the chain

Edit: i did not forgot to remove iptables, docker needs ip tables