[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: is nft running? how do I get info?

On Tue 25 Apr 2023 at 15:21:50 (+0000), Bonno Bloksma wrote:
> I consider not having nftable enabled by default in bookworm a bug, let me explain why...
> 
> >> It seems the bookworm release comes with NO firewall solution enabled !
> >> Iptables is no longer installed by default 
> >> The nft service is NOT enabled by default.
> 
> > It seems like you missed reading the Release Notes:
> > 
> >   §2.2.6 Network filtering based on nftables framework by default
> 
> Ok, I was "talking" about bookworm, these are the release notes for Buster, not even Bullseye. I was not interested in nft at that time and probably glanced over it. 
> I can understand nft not being enabled by default in Buster, we still had a fully functional iptables at that point, I guess most of us still used it at that time.

Those (ie you) were the people for whom the Release Notes were written.

> > and the reference there to https://wiki.debian.org/nftables which has its § "nftables in Debian the easy way".
> This still talks about installing nftables, that is also very old.
> 
> But yes, I must have missed it because I never enabled the nftables "service".

That's what I thought. But it's only old because this was all
documented two releases ago.

> What I am talking about now is that iptables is gone (by default).

Yes, they wrote "nftables provides a full replacement for iptables", …
"This change is in line with what other major Linux distributions are doing".
And the wiki: "the iptables utility may not be installed in a system by default."

If you were an iptables user, you'd have found in NEWS.Debian:

  "iptables is no longer Priority: important. This means it is not
  installed by default in every system. It has been replaced by nftables"

and there was advice on tools for converting iptables into nftables
configurations, spelled out in README.Debian.

> There is also a default nftables.conf file, but ... it is almost useless and even misleading because it never gets used.
> And unless you make an obvious error and NOT expect your service(s) to work why would you be surprised when the (non existing) firewall enables the services to work as they should?

AFAICT all your complaints are answered in the wiki and the iptables
documentation, and changes really ought not to come as a surprise.

> In all the 20+ years I have been writing firewalls I have always written them by starting from a closed firewall to open just the right services/ports. I would never test if something worked for which I never opened the corresponding port, why would I? I would test if something worked for which I had supposedly opened the correct network port.
> Also in those days with ipchains and iptables there were scripts and if there was an error I would see it when testing the script. 
> 
> If I test the /etc/nftables.conf file as a script it will even work flawlessly with no errors. I can even use the nft list ruleset command afterwards to see I have a working firewall.
> Unfortunately that works only until the next reboot, but why would I think so?
> 
> Why, now that we are at bookworm, is the nftables service not enabled by default? With a default ruleset that pretty much leaves it all open but is a starting point.
> If we do not want that, then at least the default config should contain a warning about first enabling the service or scripting something to have it working (after a reboot).
> 
> I think this is the first time I have come across something in Debian that after being installed by default does nothing, even when provided with a valid config file at the proper location.
> I consider that a bug.

Debates have raged in the past about whether services should be
started automatically just because they have been installed.
My recollection is that is was unix old-timers who maintained that
they ought not to be. And …

> Here is something similar.
> Consider opening your door with a key. Every time you open the door with the key it opens. All is well, you bought the cylinder and key for the lock at a very good locksmith. You told him you had been installing cylinders In doors for years and you were able to insert this cylinder in the door.
> Until sometime later you find out the door never locks, it is always open, that is why you could always enter.
> It turns out you first need to enable the cylinder before it did something useful with the key provided.
> That was something completely new, you never heard of it before, neither do I though. ;-)

And the opposing view, a more likely scenario: you have new locks
fitted. Unfortunately, the first time you go out, you pocket your
keys as usual and walk out, closing the door behind you. Later you
find you hadn't yet fitted the new key onto your keyring…

Cheers,
David.
Reply to: