I installed ZimaOS on my mini PC and have used it for months. Everything is great!
(Well, it’s a little bit inconvenient for lack of package installation at first, but I can install tools by docker, whydo I need to installl packages?)
But recently, my ISP switched to Map-E, which means I cannot use port forwarding to allow incoming connections any more. And I have to connect to the service through IPv6. To achieve this, I have to turn off the firewall, which can only be turned on/off without rule settings.
But if I do so, all devices including my server running ZimaOS would be exposed on Internet by IPv6 directly. So, I suppose setting up some firewall rules may be helpful.
But I can’t find such a setting in ZimaOS, no matter by the WebGUI or the command line. I believen there must be such a feature but just I couldn’t find it. So, is there anyone can help me on this, so I won’t be forced abandon ZimaOS and switch back to a Linux distro?
Great to hear you’ve been running ZimaOS for a while and enjoying it. It’s such a smart, lightweight system once you get used to running everything in Docker. The community here is super active too, so you’re definitely in the right place.
About your question: at the moment ZimaOS doesn’t have a built-in firewall rules page or an easy GUI for allow/deny lists. The base is a clean Debian setup and they’ve kept it very minimal, so there’s no built-in UFW or similar.
Most of us handle it one of three ways:
- Use a secure tunnel, Things like Tailscale or Cloudflare Tunnel work really well with ZimaOS. They keep your box off the public internet (even on IPv6) but let you connect back in easily.
- Be picky with ports, Don’t run containers in
host mode unless needed, and only bind the services you really want open (often behind a reverse proxy).
- Advanced route, Some power users load their own
nftables rules for IPv6 filtering, but that’s DIY and takes a bit of Linux comfort.
Because MAP-E breaks classic IPv4 port forwarding and leaves you wide open on IPv6, most people just use a tunnel. It’s the easiest and safest way to stay reachable without exposing the whole server.
2 Likes
Thank you for your response.
I am using Cloudflare Tunnel for most of the services, but I also have a VPN service so I can connect back to my home network anywhere and also accelerate my Internet access (my mobile network speed becomes slow while access the popular sites in a crowd, by the VPN, it would be faster since others won’t connect to my home).
So, I have to expose the VPN UPD port.
Also, I am not a expert, but still have some basic knowledges about Linux. Can you share me more details or hints about the “Advanced route” approach? As I know I cannot install any software since the package manager (apt) is not available in ZimaOS. And I suppose it is also not a built-in tool since I couldn’t find either the command or the config file.
Got it, that makes sense if you still need to keep a VPN port open.
I’m no expert either, but I do a lot of testing and I’ve broken my system many times. I spend a lot of time reading forum posts and learning as I go.
ZimaOS doesn’t include a built-in firewall editor, but under the hood it’s still a Debian-based Linux system and already has the modern firewall engine nftables. You don’t need to install anything extra; the kernel and the nft command are there even though the package manager is disabled.
The “advanced route” is simply creating your own nftables rules to control what traffic is allowed in. You write a small rules file that only lets through what you need e.g your VPN UDP port, existing connections and the essential IPv6 traffic and block everything else. Once the file is ready you load it with nft to test, then set up a tiny systemd service so the rules come back automatically every time the machine boots.
Because nftables is already part of the system, you can do this without adding any packages. The key is to test locally first so you don’t lock yourself out. If something goes wrong you can flush the rules and get back to an open state. It’s just a text file and a small startup service, so it’s easy to tweak, back up or disable later if needed.
It’s a clean, minimal way to keep only your VPN port open and block everything else and it doesn’t rely on unsupported tools or extra software.
1 Like
Thank you for your reply. But unfortunately, I couldn’t find nft in my ZimaOS device.
I tried
sudo nftsudo /usr/sbin/nftls -l /etc/nftables
There is neither nft command nor its config files…
That one’s on me. I assumed nftables was available because most Linux-based systems include it by default, even when the package manager is disabled. ZimaOS is stripped down more than a normal Debian build, and it looks like the nft binary simply isn’t shipped at all.
So the general idea was correct, nftables would be the way to handle custom rules, but in ZimaOS it isn’t possible right now because the tools aren’t there. Thanks for checking, because that confirms it.
Hopefully, IceWhale adds either nft or a small firewall UI in a future update so we have more control at the host level.