Firewall
Under Beckhoff RT Linux®, nftables is used as a firewall, a framework of the Netfilter project that enables packet filtering, network address translation (NAT) and other applications. The nftables firewall is the default and recommended firewall framework in Debian and replaces the old iptables and related toolboxes. The firewall is restrictive by default with regard to incoming and forwarded connections. Necessary connections such as local loopback communication, SSH (port 22), ICMP and ICMPv6 are permitted. All outgoing connections are permitted.
You can use the command line tool nft to manage and check firewall rules. By default, the nftables.service service executes nft at system startup to load a standard set of rules from the /etc/nftables-bhf.conf directory.
If you want to add your own firewall rules, you can store additional nftables files in /etc/nftables.conf.d/. After adding or changing firewall rules, restart the nftables service so that the changes are applied:
sudo systemctl restart nftablesUseful nft commands
To display the current firewall rules, use the following command:
sudo nft list rulesetTo temporarily delete all active rules and deactivate packet filtering, use:
sudo nft flush rulesetTo apply a specific set of rules from a file, use:
sudo nft -f /path/to/your/ruleset.nftTo check whether the nftables service is active and running, use:
systemctl status nftablesThe output looks as follows:
● nftables.service – nftables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; preset: enabled)
Drop-In: /usr/lib/systemd/system/nftables.service.d
└─50-use-nftables-bhf.conf
Active: active (exited) since Mon 2026-01-26 11:29:18 UTC; 1h 48min ago
Invocation: af5456023c554dc6937dbbccd3627f6c
Docs: man:nft(8)
http://wiki.nftables.org
Process: 464 ExecStart=/usr/sbin/nft -f /etc/nftables-bhf.conf (code=exited,status=0/SUCCESS)
Main PID: 464 (code=exited, status=0/SUCCESS)
Mem peak: 6.3M
CPU: 34ms