I had a look at the man page for iptables-legacy and it didn't tell me much; are you suggesting rules be added using this binary? Ok, that sounds reasonable; but it's only half the answer: Where/how are the existing rules added?

....

Edit: Oh, I think I've found a partial solution. Your grepping suggestion gave me the idea:

# grep -r iptables *
default/ferm:# use iptables-restore for fast firewall initialization?
multitail.conf:# linux iptables firewall

the second line is a dud, but the first is part of a package called ferm, and its /etc/ferm/ferm.conf has syntax which would translate into almost all of the rules on my system:

domain (ip ip6) {
    table filter {
        chain INPUT {
            policy DROP;

            # connection tracking
            mod state state INVALID DROP;
            mod state state (ESTABLISHED RELATED) ACCEPT;

            # allow local packet
            interface lo ACCEPT;

            # respond to ping
            proto icmp ACCEPT; 

            # allow IPsec
            proto udp dport 500 ACCEPT;
	    @if @eq($DOMAIN, ip) {
	      proto (esp ah) ACCEPT;
	    } @else {
	      proto (esp) ACCEPT;
	    }

            # allow SSH connections
            proto tcp dport ssh ACCEPT;
        }
        chain OUTPUT {
            policy ACCEPT;

            # connection tracking
            #mod state state INVALID DROP;
            mod state state (ESTABLISHED RELATED) ACCEPT;
        }
        chain FORWARD {
            policy DROP;

            # connection tracking
            mod state state INVALID DROP;
            mod state state (ESTABLISHED RELATED) ACCEPT;
        }
    }
}

I think only the SSH port being open is unaccounted for in this file. Where could it be coming from?

man iptables-legacy

for more information.

What do

ls /etc/*tables*

and

/etc/init.d/*tables*

show?

I am running an app which needs to take incoming connections over some TCP port (say 5123). I had (mistakenly) assumed my ports would be open by default if I listened on them - since SSH to my machine to other, and I haven't done anything to open up port 22. However - that's not the case. It's not even the case for sshd itself: If I add a Port 5123 statement to /etc/sshd_config, I can ssh through port 5123 from localhost, but not from other machines.

So, I started looking into the Linux firewall business, which I haven't really touched for many years; and specifically to the situation on Devuan (without me having installed any special relevant packages).

It seems that there are some "legacy iptables" rules in effect; iptables-legacy-save yields:

*filter
:INPUT DROP [23:3096]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [21257:2268987]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

but nothing with nft flush ruleset.

Now, I'm able to manually write an extra iptables rule for the port I want. But - I don't know where and when these rules are applied, so that I could add to them in a persistent manner. I'm also able (I think) to generate an /etc/nftables.conf to suit my needs - but that doesn't get loaded at all (AFAICT). I could ensure it's loaded with an /etc/init.d to load it, but - that would clash with whatever loads the iptables rules right now, wouldn't it?

So, bottom line: How should I add another persistent rule for opening additional ports?