Uncomplicated Firewall (ufw)

The easiest way to get firewall in Chimera is through ufw, which is also used on Ubuntu by default and is available on many distributions.

UFW is a frontend to nftables or iptables, designed to be easy to use.

Install it:

# apk add ufw

Enable it:

# dinitctl enable ufw
# ufw enable

Verify it is enabled:

# ufw status

A simple configuration that allows SSH and webservers is something like:

# ufw default deny incoming
# ufw default allow outgoing
# ufw allow ssh http https
# ufw limit ssh

This will also limit SSH connections against brute-force.


If you wish to manage your firewall in a more low-level way, the recommended method is through nftables.

Install it:

# apk add nftables

It comes with a service that loads rules from /etc/nftables.conf. You can enable it with:

# dinitctl enable nftables

If you change the rules, just dinitctl restart it. Stopping the service will flush the rules.


The iptables package provides the legacy firewall. You can install it like:

# apk add iptables

In /etc/iptables, the simple_firewall.rules and empty.rules rulesets serve as an example.

There are two services, iptables and ip6tables, which load rules from /etc/iptables/iptables.rules and /etc/iptables/ip6tables.rules respectively. You can configure your firewall and generate the files with iptables-save and ip6tables-save.

In any case, enabling the services is as usual:

# dinitctl enable iptables
# dinitctl enable ip6tables

Restart the services when you change your rules. Stop the services to flush the rules.