[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

default firewall utility changes for Debian 11 bullseye

Hi there,

as you may know, Debian 10 buster includes the iptables-nft utility by default,
which is an iptables flavor that uses the nf_tables kernel subsystem.
Is intended to help people migrate from iptables to nftables.

For the next release cycle I propose we move this default event further.
As of this email, iptables [0] is Priority: important and nftables [1] is
Priority: optional in both buster and bullseye. The important value means the
package gets installed by default in every Debian install.

Also, I believe the days of using a low level tool for directly configuring the
firewall may be gone, at least for desktop use cases. It seems the industry more
or less agreed on using firewalld [2] as a wrapper for the system firewall.
There are plenty of system services that integrate with firewalld anyway [3].
By the way, firewalld is using (or should be using) nftables by default at this

This email contains 2 changes/proposals for Debian 11 bullseye:

1) switch priority values for iptables/nftables, i.e, make nftables Priority:
important and iptables Priority: optional

2) introduce firewalld as the default firewalling wrapper in Debian, at least in
desktop related tasksel tasks.

For changes in 2) I'm looking forward to have consensus, and will need others to
do changes themselves.
I can do changes in 1) myself, and will probably do very soon.


[0] https://tracker.debian.org/pkg/iptables
[1] https://tracker.debian.org/pkg/nftables
[2] https://tracker.debian.org/pkg/firewalld
[3] disclaimer: I don't use firewalld myself

Reply to: