Re: default firewall utility changes for Debian 11 bullseye
Hi,
I'm replying to your questions but I have also other questions related to
this fresh transition...
On Tue, 16 Jul 2019, Arturo Borrero Gonzalez wrote:
> as you may know, Debian 10 buster includes the iptables-nft utility by default,
> which is an iptables flavor that uses the nf_tables kernel subsystem.
> Is intended to help people migrate from iptables to nftables.
It is intended that /proc/net/ip_tables_names and
/proc/net/ip6_tables_names is always empty when you use iptables-nft and
thus nf_tables under the hood?
This is breaking fwbuilder at least: https://github.com/fwbuilder/fwbuilder/issues/88
> Also, I believe the days of using a low level tool for directly configuring the
> firewall may be gone, at least for desktop use cases. It seems the industry more
> or less agreed on using firewalld [2] as a wrapper for the system firewall.
What would/should Debian recommend to configure the firewall on the server
case ?
I was recommending creating firewall rules with fwbuilder up to now (see
https://debian-handbook.info/browse/stable/sect.firewall-packet-filtering.html)
but while it's still maintained, it has not had any recent release
and still hasn't native nftables support
(https://github.com/fwbuilder/fwbuilder/issues/17).
> This email contains 2 changes/proposals for Debian 11 bullseye:
>
> 1) switch priority values for iptables/nftables, i.e, make nftables Priority:
> important and iptables Priority: optional
Ack.
> 2) introduce firewalld as the default firewalling wrapper in Debian, at least in
> desktop related tasksel tasks.
No objection. I think it's high time we have some default firewall
installed in particular with IPv6 getting more widely deployed...
The other desktop firewall that I know is "ufw" but it doesn't seem to
have any momentum behind it.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
Reply to: