Quick links
User Documentation
Torproject Sysadmin Team
Howtos
Meeting
Policies
Providers
Roadmaps
Sandbox
Service
Need help?
Tails
Doc
- git, shell, ldap, etc. accounts
- sys admin and service admin tasks
- Bits and pieces of Tor Project infrastructure information
- When using extra.tpo
- Hardware requirements
- How to get help
- Lektor website development environment on macOS
- Naming scheme
- How to report email problems
- Running non-root services
- learning how to do an ssh jump host on tpo
- How make website changes
- Getting an SVN account
Howto
- Web Key Directory
- Apu
- Benchmark
- Build and upload Debian packages
- Cache
- Conference
- Create a new user
- Cumin
- Dns
- Drbd
- Fabric
- Ganeti
- Git
- Gitlab
- RETIRED
- Grafana
- Incident response
- Ipsec
- Creating a tunnel with HE.net
- Irc
- Reference
- Dealing with messed up consoles
- Kvm
- Ldap
- Lektor
- Letsencrypt
- Logging
- LVM cheat sheet
- Nagios
- New machine cymru
- New machine hetzner cloud
- New machine hetzner robot
- New machine mandos
- Billing and ordering
- New machine
- How to get a new Tor System Administrator (with web developer duties) on board
- Nftables
- Openpgp
- Manual web-based OpenStack configuration
- Postgresql
- Puppet
- Raid
- Reboots
- Rename a host
- Rename a user
- Decommissioning a host
- Retire a user
- Rt
- Static component
- Submission
- How-to
- Tls
- Trac
- Upgrades
- YubiKey documentation
- Upgrades
  - Bookworm
  - Bullseye
  - Buster
  - Trixie
Meeting
- Agenda
- 2019 04 08
- 2019 05 06
- 2019 06 03
- 2019 07 01
- 2019 09 09
- 2019 10 07
- 2019 11 04
- 2019 11 25
- 2020 01 13
- 2020 02 03
- 2020 03 09
- Roll call: who's there and emergencies
- 2020 05 11
- Roll call: who's there and emergencies
- 2020 07 01
- Roll call: who's there and emergencies
- 2020 12 02
- 2021 01 19
- 2021 01 26
- Roll call: who's there and emergencies
- 2021 03 02
- 2021 04 07
- 2021 05 03
- 2021 06 02
- 2021 06 14
- 2021 09 07
- Roll call: who's there and emergencies
- 2021 11 01
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- 2022 01 24
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- 2023 12 11
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- 2025 Q1 Roadmap meeting
- 2025 02 10
- 2025 03 10
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- 2025 05 12
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Template
Policy
- Template
- Tpa rfc 1 policy
- Tpa rfc 10 jenkins retirement
- Tpa rfc 11 svn retirement
- Tpa rfc 12 triage and office hours
- Tpa rfc 13 okrs for roadmap
- Tpa rfc 14 gitlab artifacts
- Tpa rfc 15 email services
- Tpa rfc 16 replacing lektor i18n plugin
- Tpa rfc 17 disaster recovery
- Tpa rfc 18 security policy
- Tpa rfc 19 gitlab labels
- Tpa rfc 2 support
- Tpa rfc 20 bullseye upgrades
- Tpa rfc 21 uninstall svn
- Tpa rfc 22 rename irc
- Tpa rfc 23 retire ipv6only
- Tpa rfc 24 extend merge permissions web
- Tpa rfc 25 btcpay replacement
- Tpa rfc 26 limesurvey upgrade
- Tpa rfc 27 python2 eol
- Tpa rfc 28 alphabetical triage
- Tpa rfc 29 lektor scss plugin
- Tpa rfc 3 tools
- Tpa rfc 30 change lego plugins
- Tpa rfc 31 outsource email
- Tpa rfc 32 nextcloud root level folders migration
- Tpa rfc 33 monitoring
- Tpa rfc 34 office hours ends
- Tpa rfc 35 gitlab email address changes
- Tpa rfc 36 gitolite gitweb retirement
- Tpa rfc 37 lektor replacement
- Tpa rfc 38 new wiki service
- Tpa rfc 39 nextcloud account policy
- Tpa rfc 4 prometheus disk
- Tpa rfc 40 cymru migration
- Tpa rfc 41 schleuder retirement
- Tpa rfc 42 roadmap 2023
- Tpa rfc 43 cymru migration plan
- Tpa rfc 44 email emergency recovery
- Tpa rfc 45 mail architecture
- Tpa rfc 46 gitlab 2fa
- Tpa rfc 47 email account retirement
- Tpa rfc 48 enable new gitlab web ide
- Tpa rfc 5 gitlab
- Tpa rfc 50 private gitlab pages
- Tpa rfc 51 improve l10n review ci workflow
- Tpa rfc 52 cymru migration timeline
- Tpa rfc 53 security keys
- Tpa rfc 54 build boxes retirement
- Tpa rfc 55 swap file policy
- Tpa rfc 56 large file storage
- Tpa rfc 57 bookworm upgrades
- Tpa rfc 58 podman runner
- Tpa rfc 59 ssh jump host aliases
- Tpa rfc 6 naming convention
- Tpa rfc 60 gitlab 2fa enforcement
- Tpa rfc 61 roadmap 2024
- Tpa rfc 62 tpa password manager
- Tpa rfc 63 storage server budget
- Tpa rfc 64 puppet tls certificates
- Tpa rfc 65 postgresql backups
- Tpa rfc 66 gitlab ultimate program
- Tpa rfc 67 retire mini nag
- Tpa rfc 68 idle canary servers
- Tpa rfc 69 civicrm http basic auth
- Tpa rfc 7 root
- Tpa rfc 70 move tails sysadmin issues
- Tpa rfc 71 emergency email deployments round 2
- Tpa rfc 72 migrate donate 01 to gnt dal cluster
- Tpa rfc 73 tails infra merge roadmap
- Tpa rfc 74 gitlab ci retention policy
- Tpa rfc 75 new office hours
- Tpa rfc 76 puppet merge request workflow
- Tails and TPA Puppet codebase merge
- Tpa rfc 78 dangerzone retirement
- Tpa rfc 79 general merge request workflows
- Tpa rfc 8 gitlab ci libvirt
- Tpa rfc 80 debian trixie upgrade schedule
- Tpa rfc 81 gitlab access
- Tpa rfc 82 merge tor and tails support policies
- Tpa rfc 83 mail log retention
- Tpa rfc 84 minio backups and scaling
- Tpa rfc 85 invite only internal irc channels
- Tpa rfc 86 identity access management
- Tpa rfc 87 container image lifecycle
- Background
- Tpa rfc 89 gitaly migration
- Tpa rfc 89 gitlab encrypted confidential notifications
- Tpa rfc 9 proposed process
- Tpa rfc 90 signed commits
- Tpa rfc 91 incident response
- Tpa rfc 92 emergency bbb hosting provider change
Provider
- Autistici / Inventati
- PUSCII
- Quintex
Roadmap
- 2020
- 2021
- 2022
- 2023
- Priorities for 2025
- Tails merge
Service
- BTCpayserver
- Anon ticket
- Backup and restore procedures
- Blog
- Cdn
- Ci
- Crm
- Dangerzone
- Debian archive
- Documentation
- Donate
- Email
- Forum
- Jenkins
- Lists
- Nextcloud
- Object storage
- Onion
- Password manager
- Prometheus
- Schleuder
- Static shim
- Status
- Styleguide
- Support Portal
- Survey
- Template
- Tor weather
- Vault
Tails
- How tos
- Processes
- Tails Sysadmins role description
- Scripts
- Services managed by Tails Sysadmins
- Systems
- How tos
- Processes
  - Improve the infrastructure behind Tails
  - Onboarding new Tails sysadmins
- Scripts
  - Managing mirrors
- Services
- Systems
  - Boot times
  - Chameleon
    - OOB access
  - Dragon
    - Rebooting Dragon
    - Hardware
  - Ecours
    - Information
  - Gecko
    - Information
  - Iguana
    - Hardware
  - Lizard
    - Boot
    - Parts details
    - Setup
  - Skink
    - Skink
    - Usage policy for skink.tails.net
  - Stone
    - Hardware
    - Information
  - Teels
    - Information

IMPORTANT NOTE: most Tor servers do not currently use nftables, as we still use the Ferm firewall wrapper, which only uses iptables. Still, we sometimes end up on machines that might have nftables and those instructions will be useful for that brave new future. See tpo/tpa/team#40554 for a followup on that migration.

[[TOC]]

Listing rules

nft -a list ruleset

The -a flag shows the handles which is useful to delete a specific rule.

Checking and applying a ruleset

This checks the ruleset of Puppet rule files as created by the puppet/nftables modules before applying it:

nft -c -I /etc/nftables/puppet -f /etc/nftables/puppet.nft

This is done by Puppet before actually applying the ruleset, which is done with:

nft -I /etc/nftables/puppet -f /etc/nftables/puppet.nft

The -I parameter stands for --includepath and tells nft to look for rules in that directory.

Inserting a rule to bypass a restriction

Say you have the chain INPUT in the table filter which looks like this:

table inet filter {
    chain INPUT {
        type filter hook input priority filter; policy drop;
        iifname "lo" accept
        ct state established,related accept
        ct state invalid drop
        tcp dport 22 accept
        reject
    }
}

.. and you want to temporarily give access to the web server on port 443. You would do a command like:

nft insert rule inet filter INPUT 'tcp dport 443 accept'

Or if you need to allow a specific IP, you could do:

nft insert rule inet filter INPUT 'ip saddr 192.0.2.0/24 accept'

Blocking a host

Similarly, assuming you have the same INPUT chain in the filter table, you could do this to block a host from accessing the server:

nft insert rule inet filter INPUT 'ip saddr 192.0.2.0/24 reject'

That will generate an ICMP response. If this is a DOS condition, you might rather avoid that and simply drop the packet with:

nft insert rule inet filter INPUT 'ip saddr 192.0.2.0/24 drop'

Deleting a rule

If you added a rule by hand in the above and now want to delete it, you first need to find the handle (with the -a flag to nft list ruleset) and then delete the rule:

nft delete rule inet filter INPUT handle 39

Be VERY CAREFUL with this step as using the wrong handle might lock you out of the server.

Other documentation

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search