easywall
GitHub ↗
Requirements
System Requirements
| Requirement | Minimum | Notes |
|---|---|---|
| Kernel | 3.13+ | nftables netlink API introduced in 3.13 |
| nftables | any | apt install nftables on Debian/Ubuntu |
| init system | systemd | required for service management and socket activation |
| Architecture | amd64 or arm64 | pre-built binaries available for both |
| RAM | ~32 MB | combined for both processes at idle |
| Disk | ~20 MB | binaries + assets + config |
| Root/CAP_NET_ADMIN | required | the core daemon must have CAP_NET_ADMIN to write nftables rules |
Supported Distributions
easywall is tested on:
| Distribution | Architecture | Status |
|---|---|---|
| Debian 12 (Bookworm) | amd64, arm64 | ✅ Fully supported |
| Debian 11 (Bullseye) | amd64, arm64 | ✅ Fully supported |
| Ubuntu 24.04 LTS | amd64, arm64 | ✅ Fully supported |
| Ubuntu 22.04 LTS | amd64, arm64 | ✅ Fully supported |
| Raspbian (based on Debian 12) | arm64 | ✅ arm64 binary |
Other systemd-based distributions with nftables support (Arch, Fedora, openSUSE) should work but are not tested in CI.
Network Ports
| Port | Process | Protocol | Purpose |
|---|---|---|---|
| 12227 | easywall-web | HTTPS (TLS 1.2+) | Web interface |
Only one inbound port is required. easywall-core communicates with easywall-web via a Unix socket — no additional TCP/UDP ports are opened between the two processes.
nftables Prerequisites
The nftables package must be installed:
# Debian / Ubuntu
sudo apt-get install nftables
# Arch Linux
sudo pacman -S nftables
# Fedora / RHEL
sudo dnf install nftables
easywall uses the inet easywall table exclusively. It does not touch any pre-existing tables or chains. If you have existing nftables rules from another tool, they will not be affected.
If your system uses both iptables-legacy and nftables, the rule sets may interfere with each other. Check with update-alternatives --list iptables. On modern Debian/Ubuntu the iptables binary already delegates to nftables via iptables-nft.
Upgrading from easywall v1 (Python)
easywall v1 used iptables. v2 uses nftables. Before installing v2:
- Stop the v1 services and disable them:
sudo systemctl stop easywall easywall-web sudo systemctl disable easywall easywall-web - Clear old iptables rules (optional — they are independent of nftables):
sudo iptables -F sudo iptables -X sudo ip6tables -F sudo ip6tables -X - Remove the Python package if installed via pip:
pip uninstall easywall - Install easywall v2. Your old
rules.yml(YAML) cannot be imported directly — use the Export/Import feature (JSON format) after setting up v2.
Not Required
- Python, pip, or any Python runtime
- Node.js or npm
- Any database (SQLite, PostgreSQL, etc.)
- Docker (unless you use the Docker deployment option)
- Go toolchain on the target server — install the pre-built binary or
.debpackage