Re: default firewall utility changes for Debian 11 bullseye
On 7/16/19 11:57 AM, Raphael Hertzog wrote:
> Hi,
>
> I'm replying to your questions but I have also other questions related to
> this fresh transition...
>
> On Tue, 16 Jul 2019, Arturo Borrero Gonzalez wrote:
>> as you may know, Debian 10 buster includes the iptables-nft utility by default,
>> which is an iptables flavor that uses the nf_tables kernel subsystem.
>> Is intended to help people migrate from iptables to nftables.
>
> It is intended that /proc/net/ip_tables_names and
> /proc/net/ip6_tables_names is always empty when you use iptables-nft and
> thus nf_tables under the hood?
>
> This is breaking fwbuilder at least: https://github.com/fwbuilder/fwbuilder/issues/88
>
yes, nf_tables does not expose that data into /proc/, it uses a netlink API
which is a better way of interacting with it.
>> Also, I believe the days of using a low level tool for directly configuring the
>> firewall may be gone, at least for desktop use cases. It seems the industry more
>> or less agreed on using firewalld [2] as a wrapper for the system firewall.
>
> What would/should Debian recommend to configure the firewall on the server
> case ?
>
> I was recommending creating firewall rules with fwbuilder up to now (see
> https://debian-handbook.info/browse/stable/sect.firewall-packet-filtering.html)
The reset_iptables() functions you mentioned in the above issue don't even
replace the rules in an atomic fashion, which is not a good way to work with
firewall rules, specially for wrappers.
firewalld can be useful in server usecases as well. Here is libvirt using
firewalld (and nftables):
https://libvirt.org/firewall.html#fw-firewalld-and-virtual-network-driver
This is all to say that firewalld may be way better that fwbuilder as a general
recommendation.
Reply to: