Announcement

Collapse
No announcement yet.

Debian 11 To Further Deprecate IPTables In Favor Of Nftables Plus Promoting Firewalld

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Debian 11 To Further Deprecate IPTables In Favor Of Nftables Plus Promoting Firewalld

    Phoronix: Debian 11 To Further Deprecate IPTables In Favor Of Nftables Plus Promoting Firewalld

    Debian 10 "Buster" already is making use of IPTables' Netfilter back-end by default in their path to deprecate IPTables while for Debian 11 the deprecation will continue further...

    http://www.phoronix.com/scan.php?pag...bles-Firewalld

  • #2
    firewalld is awesome and I've found is a bit of a pita to setup on Debian so it's going to be great to see it work out the box, I'm already using it with RHEL.
    Last edited by Britoid; 10-14-2019, 03:49 PM.

    Comment


    • #3
      /me too migrated ufw→firewalld some weeks ago. Everything is smooth so far.

      Comment


      • #4
        Been using firewalld for years on CentOS 7, Debian 9+, and Ubuntu 16.04+. I deploy one public.xml zone on ALL my systems. I recently integrated an ipset of the top 10,000 abusive IP addresses from abuseipdb.com. Dropping tons of packets from any host on that blacklist. Love it.

        Comment


        • #5
          I on contrary, look into nftables, and don't see exactly what it brings new..
          iptables syntax is awesome.

          Comment


          • #6
            Originally posted by tuxd3v View Post
            I on contrary, look into nftables, and don't see exactly what it brings new..
            iptables syntax is awesome.
            You can still, for now, use iptables syntax with nftables as is the case in Debian. Take a look at the FAQ as well

            Comment


            • #7

              I looked at the https://firewalld.org and did not see anything compelling for my use cases.

              I did see stuff that could mean more complexity / 'breakage risk" due to poor coding techniques.

              Now security professionals have to consider the risk of D-BUS flaws causing compromises in the firewall since firewalld proudly proclaims it's
              Complete D-Bus API
              on it's web page.

              IMHO a firewall is one place where you want coding techniques to be sound, simple, secure, and very reliable. Any flaws could increase the potential "attack surface" and risk your network being compromised.

              and wishes these millenials would "learn to code" properly.

              Comment


              • #8
                Originally posted by NotMine999 View Post
                I looked at the https://firewalld.org and did not see anything compelling for my use cases.

                I did see stuff that could mean more complexity / 'breakage risk" due to poor coding techniques.

                Now security professionals have to consider the risk of D-BUS flaws causing compromises in the firewall since firewalld proudly proclaims it's on it's web page.

                IMHO a firewall is one place where you want coding techniques to be sound, simple, secure, and very reliable. Any flaws could increase the potential "attack surface" and risk your network being compromised.

                and wishes these millenials would "learn to code" properly.
                Well, this https://developers.redhat.com/blog/2...e-is-nftables/ mentions following points:

                • all firewall information viewable with a single underlying tool, nft
                • single rule for both IPv4 and IPv6 instead of duplicating rules
                • does not assume complete control of firewall backend
                • won’t delete firewall rules installed by other tools or users
                • rule optimizations (log and deny in same rule)

                Comment


                • #9
                  Originally posted by NotMine999 View Post
                  I looked at the https://firewalld.org and did not see anything compelling for my use cases.

                  I did see stuff that could mean more complexity / 'breakage risk" due to poor coding techniques.

                  Now security professionals have to consider the risk of D-BUS flaws causing compromises in the firewall since firewalld proudly proclaims it's on it's web page.

                  IMHO a firewall is one place where you want coding techniques to be sound, simple, secure, and very reliable. Any flaws could increase the potential "attack surface" and risk your network being compromised.

                  and wishes these millenials would "learn to code" properly.
                  firewalld is from Red Hat, it's not a piece of software some guy/girl is writing in his spare time.

                  Comment


                  • #10
                    Originally posted by tuxd3v View Post
                    I on contrary, look into nftables, and don't see exactly what it brings new..
                    iptables syntax is awesome.
                    With iptables I cant filter out packets matching one of two subnets for example, nftables has way less restrictions.
                    The real improvements are largely internal, nftables rules can be easiser added and removed in a modular fashion, which is relevant if apps manage their own rules without messing up others. At work I cant use virt-manager and docker at the same time as their iptable-based bridging interfere with my network configuration.

                    Syntax is the least important issue, as the automatic iptables->nftables converters prove.

                    Comment

                    Working...
                    X