Re: is nft running? how do I get info?
On Tue 25 Apr 2023 at 08:59:23 (+0000), Bonno Bloksma wrote:
>
> Did I discover a bug in the bookwork release? I think we can argue both for and against but I am calling it a bug.
>
> It seems the bookworm release comes with NO firewall solution enabled !
> Iptables is no longer installed by default
> The nft service is NOT enabled by default.
>
> After searching some more I found "Enable and start the nftables service by":
> sudo systemctl enable nftables
> sudo systemctl start nftables.
> Looking at the sudo stuff it must have been written for Ubuntu. And indeed, I now have a nft service that will by default load the /etc/nftables.conf file :-)
> The start command in itself is not needed, it just starts the firewall right away.
>
> I do NOT understand why it is not enabled by default with the default config as it is.
> The firewall in itself is open enough that it does not block stuff, but it does allow someone to build upon or to replace it with a proper firewall.
>
> There probably was a discussion about it sometime in the past and this is what "they" came up with.
> Still, I think there should be a better way, have a default (semi) open firewall and have it enabled by default.
>
> Now all I need to do is go to my existing Buster installs and enable the firewall. It seems after I changed the iptables script to a nft config I have been running my buster machines with a proper nft config that NEVER got loaded. :-(
It seems like you missed reading the Release Notes:
§2.2.6 Network filtering based on nftables framework by default
and the reference there to https://wiki.debian.org/nftables
which has its § "nftables in Debian the easy way".
Cheers,
David.
Reply to: