If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.
Announcement
Collapse
No announcement yet.
Debian 11 To Further Deprecate IPTables In Favor Of Nftables Plus Promoting Firewalld
IMHO a firewall is one place where you want coding techniques to be sound, simple, secure, and very reliable. Any flaws could increase the potential "attack surface" and risk your network being compromised.
and wishes these millenials would "learn to code" properly.
firewalld is just a frontend for the Linux kernel's firewall called "nftables"
noob
Last edited by starshipeleven; 15 October 2019, 07:30 PM.
but still you can't make rules based on which program initiates a connection (or accepts one). You know, exactly how most Windows firewalls work.
Lolwut? `--pid-owner` ?!?
(Though if you go for the whole Windows-like experience, including the whole "running random shit you downloaded from the interwebz" part, you'd better off thinking in terms of network routing between your machine and the container running the flatpak/snappy/docker of said random internet shit).
Capabilities-oriented security systems like SELinux and AppArmor are yet a different strategy to achieve the same too.
So many years have passed, so many firewall systems on linux, but still you can't make rules based on which program initiates a connection (or accepts one). You know, exactly how most Windows firewalls work.
I know we're on linux with open source programs, but why trust them to connect to the Internet if they don't need it?
I on contrary, look into nftables, and don't see exactly what it brings new..
iptables syntax is awesome.
With iptables I cant filter out packets matching one of two subnets for example, nftables has way less restrictions.
The real improvements are largely internal, nftables rules can be easiser added and removed in a modular fashion, which is relevant if apps manage their own rules without messing up others. At work I cant use virt-manager and docker at the same time as their iptable-based bridging interfere with my network configuration.
Syntax is the least important issue, as the automatic iptables->nftables converters prove.
I looked at the https://firewalld.org and did not see anything compelling for my use cases.
I did see stuff that could mean more complexity / 'breakage risk" due to poor coding techniques.
Now security professionals have to consider the risk of D-BUS flaws causing compromises in the firewall since firewalld proudly proclaims it's on it's web page.
IMHO a firewall is one place where you want coding techniques to be sound, simple, secure, and very reliable. Any flaws could increase the potential "attack surface" and risk your network being compromised.
and wishes these millenials would "learn to code" properly.
firewalld is from Red Hat, it's not a piece of software some guy/girl is writing in his spare time.
I looked at the https://firewalld.org and did not see anything compelling for my use cases.
I did see stuff that could mean more complexity / 'breakage risk" due to poor coding techniques.
Now security professionals have to consider the risk of D-BUS flaws causing compromises in the firewall since firewalld proudly proclaims it's on it's web page.
IMHO a firewall is one place where you want coding techniques to be sound, simple, secure, and very reliable. Any flaws could increase the potential "attack surface" and risk your network being compromised.
and wishes these millenials would "learn to code" properly.
I looked at the https://firewalld.org and did not see anything compelling for my use cases.
I did see stuff that could mean more complexity / 'breakage risk" due to poor coding techniques.
Now security professionals have to consider the risk of D-BUS flaws causing compromises in the firewall since firewalld proudly proclaims it's
Complete D-Bus API
on it's web page.
IMHO a firewall is one place where you want coding techniques to be sound, simple, secure, and very reliable. Any flaws could increase the potential "attack surface" and risk your network being compromised.
and wishes these millenials would "learn to code" properly.
Leave a comment: