Firewall Setup & Troubleshooting
Rabtly enforces port-level access control rules using your operating system’s built-in firewall. The daemon renders ACL rules into the native firewall format and loads them automatically — you normally don’t need to think about it.
How it works
| Platform | Firewall backend | Tool used | Installed by default? |
|---|---|---|---|
| Linux | nftables | nft | Yes on Ubuntu 20.04+, Debian 11+, Fedora 33+, RHEL 8+, Amazon Linux 2023, Arch |
| macOS | pf (packet filter) | pfctl | Always (ships with every macOS) |
| Windows | Windows Firewall | netsh | Always (ships with every Windows) |
The daemon does not bundle these tools — it shells out to the system binary. This means:
- Admins can inspect Rabtly’s rules with the same tools they already know.
- The daemon has zero native dependencies beyond the OS itself.
- If the tool is missing, the daemon still boots and the VPN works — port ACLs just aren’t enforced.
Symptoms of a missing firewall backend
You’ll see one of these indicators:
- Dashboard: Device card shows Firewall: off
- CLI:
rabtly statusincludesfirewall_enforced=false - Daemon log:
firewall: nft binary not found/pfctl binary not found/netsh binary not found
What happens without the firewall?
Your device still connects normally. The difference:
| With firewall | Without firewall | |
|---|---|---|
| VPN tunnel | Works | Works |
| Visibility (which peers you see) | Enforced by server | Enforced by server |
| Port restrictions (e.g. “only tcp/5432”) | Enforced on-device | Not enforced on this device |
| Inbound from peers | Filtered to allowed ports only | Any visible peer can reach any port |
| Outbound to peers | Advisory (logged) | No difference |
The destination device still enforces its own inbound rules, so even if your device has no firewall, the other side blocks unauthorized traffic.
Quick fix per platform
- Linux — Install nftables (one command per distro)
- macOS — Enable pf (usually already active)
- Windows — Ensure Windows Firewall service is running
Verifying enforcement
After fixing, confirm with:
rabtly statusLook for firewall_enforced=true. You can also inspect the installed rules directly:
# Linux
sudo nft list table inet rabtly
# macOS
sudo pfctl -a cloud.rabtly -sr
# Windows (elevated)
netsh advfirewall firewall show rule group="Rabtly"Security model
The firewall is fail-closed on Linux and macOS: if the first rule load fails, the daemon installs a minimal block-all ruleset so the device doesn’t accidentally run wide-open while retrying. On Windows, the OS default “block inbound, allow outbound” profile provides equivalent protection during the brief rule reload window.
A watchdog checks periodically that the rules are still loaded (detecting external flushes like nft flush ruleset or pfctl -F all) and reapplies automatically if drift is detected.