Announcement

Collapse
No announcement yet.

Debian 11 To Further Deprecate IPTables In Favor Of Nftables Plus Promoting Firewalld

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • starshipeleven
    replied
    Originally posted by NotMine999 View Post
    IMHO a firewall is one place where you want coding techniques to be sound, simple, secure, and very reliable. Any flaws could increase the potential "attack surface" and risk your network being compromised.

    and wishes these millenials would "learn to code" properly.
    firewalld is just a frontend for the Linux kernel's firewall called "nftables"

    noob
    Last edited by starshipeleven; 15 October 2019, 07:30 PM.

    Leave a comment:


  • DrYak
    replied
    Originally posted by SledgeHammer_999 View Post
    but still you can't make rules based on which program initiates a connection (or accepts one). You know, exactly how most Windows firewalls work.
    Lolwut? `--pid-owner` ?!?

    (Though if you go for the whole Windows-like experience, including the whole "running random shit you downloaded from the interwebz" part, you'd better off thinking in terms of network routing between your machine and the container running the flatpak/snappy/docker of said random internet shit).

    Capabilities-oriented security systems like SELinux and AppArmor are yet a different strategy to achieve the same too.



    Leave a comment:


  • SledgeHammer_999
    replied
    So many years have passed, so many firewall systems on linux, but still you can't make rules based on which program initiates a connection (or accepts one). You know, exactly how most Windows firewalls work.
    I know we're on linux with open source programs, but why trust them to connect to the Internet if they don't need it?

    Leave a comment:


  • anarki2
    replied
    Finally more standardization. Can't wait to see this in Ubuntu too. Hopefully firewalld makes it into 20.04.

    Btw. I'd love to see firewalld finally support port knocking.

    Leave a comment:


  • discordian
    replied
    Originally posted by tuxd3v View Post
    I on contrary, look into nftables, and don't see exactly what it brings new..
    iptables syntax is awesome.
    With iptables I cant filter out packets matching one of two subnets for example, nftables has way less restrictions.
    The real improvements are largely internal, nftables rules can be easiser added and removed in a modular fashion, which is relevant if apps manage their own rules without messing up others. At work I cant use virt-manager and docker at the same time as their iptable-based bridging interfere with my network configuration.

    Syntax is the least important issue, as the automatic iptables->nftables converters prove.

    Leave a comment:


  • Britoid
    replied
    Originally posted by NotMine999 View Post
    I looked at the https://firewalld.org and did not see anything compelling for my use cases.

    I did see stuff that could mean more complexity / 'breakage risk" due to poor coding techniques.

    Now security professionals have to consider the risk of D-BUS flaws causing compromises in the firewall since firewalld proudly proclaims it's on it's web page.

    IMHO a firewall is one place where you want coding techniques to be sound, simple, secure, and very reliable. Any flaws could increase the potential "attack surface" and risk your network being compromised.

    and wishes these millenials would "learn to code" properly.
    firewalld is from Red Hat, it's not a piece of software some guy/girl is writing in his spare time.

    Leave a comment:


  • Hi-Angel
    replied
    Originally posted by NotMine999 View Post
    I looked at the https://firewalld.org and did not see anything compelling for my use cases.

    I did see stuff that could mean more complexity / 'breakage risk" due to poor coding techniques.

    Now security professionals have to consider the risk of D-BUS flaws causing compromises in the firewall since firewalld proudly proclaims it's on it's web page.

    IMHO a firewall is one place where you want coding techniques to be sound, simple, secure, and very reliable. Any flaws could increase the potential "attack surface" and risk your network being compromised.

    and wishes these millenials would "learn to code" properly.
    Well, this https://developers.redhat.com/blog/2...e-is-nftables/ mentions following points:

    • all firewall information viewable with a single underlying tool, nft
    • single rule for both IPv4 and IPv6 instead of duplicating rules
    • does not assume complete control of firewall backend
    • won’t delete firewall rules installed by other tools or users
    • rule optimizations (log and deny in same rule)

    Leave a comment:


  • NotMine999
    replied

    I looked at the https://firewalld.org and did not see anything compelling for my use cases.

    I did see stuff that could mean more complexity / 'breakage risk" due to poor coding techniques.

    Now security professionals have to consider the risk of D-BUS flaws causing compromises in the firewall since firewalld proudly proclaims it's
    Complete D-Bus API
    on it's web page.

    IMHO a firewall is one place where you want coding techniques to be sound, simple, secure, and very reliable. Any flaws could increase the potential "attack surface" and risk your network being compromised.

    and wishes these millenials would "learn to code" properly.

    Leave a comment:


  • numacross
    replied
    Originally posted by tuxd3v View Post
    I on contrary, look into nftables, and don't see exactly what it brings new..
    iptables syntax is awesome.
    You can still, for now, use iptables syntax with nftables as is the case in Debian. Take a look at the FAQ as well

    Leave a comment:


  • tuxd3v
    replied
    I on contrary, look into nftables, and don't see exactly what it brings new..
    iptables syntax is awesome.

    Leave a comment:

Working...
X