Announcement

Collapse
No announcement yet.

Ubuntu To Try Again In Switching IPTables To Use Nftables Backend

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Ubuntu To Try Again In Switching IPTables To Use Nftables Backend

    Phoronix: Ubuntu To Try Again In Switching IPTables To Use Nftables Backend

    Back during the Ubuntu 20.04 cycle there was an attempt to switch the iptables back-end to Nftables by default. That plan was ultimately foiled by LXD at the time running into issues and other fallout. But now t hat those issues should be addressed and Debian Buster has switched to Nftables, the move is being re-attempted next week for Ubuntu 20.10...

    http://www.phoronix.com/scan.php?pag...20.10-Nftables

  • #2
    But now t hat those issues
    Saw that typo from the main page

    Comment


    • #3
      So will Uncomplicated Firewall (UFW) continue to work with this change?

      I use GUFW for my Arch firewall management needs.

      Comment


      • #4
        Do Docker containers still lose all connectivity when using Nftables?

        Comment


        • #5
          Here it goes my hope that somebody will port the AFWall+ firewall from Android
          https://f-droid.org/en/packages/dev.ukanth.ufirewall/
          To Linux and finally have a non-bullshit firewall to be easily configurable instead of stupid port-based firewalls.
          Security goes hand in hand with usability and when it comes to firewall usability, Linux is a joke.
          It's still hard to believe that when it comes to security I can configure in minutes the rules of the firewall (AFWall+ on Android and GlassWire on Windows), but on Linux I will have to spend days to do the same thing, which of course I don't.

          No wonder that most Linux distros don't come with any firewall whatsoever and very few people actually install a firewall and spend all that time to properly configure it.

          Comment


          • #6
            Originally posted by Aeder View Post
            Do Docker containers still lose all connectivity when using Nftables?
            You can use iptables with `-nft` backend to resolve that apparently. I found this with a few more instructions:

            https://wiki.archlinux.org/index.php...ng_with_Docker
            Last edited by polarathene; 27 August 2020, 03:06 AM.

            Comment


            • #7
              Still waiting for the Linux community to come up with *anything* that resembles a proper firewall. With that, things like this wouldn't even exist. 873rd port of OpenCandyCrush is more important though.

              Comment


              • #8
                Originally posted by Danny3 View Post
                To Linux and finally have a non-bullshit firewall to be easily configurable instead of stupid port-based firewalls.
                Security goes hand in hand with usability and when it comes to firewall usability, Linux is a joke.
                Android doesn't come with that by default either though? Haven't used Windows or macOS for some time to know how much better the situation is there by default either.

                There are some GUIs/frontends (That AFWall app is just a frontend to iptables for example), but I understand they're not as nice as the two you mention for other platforms.

                Your main gripe is UX for a frontend that lets you easily configure on a per app or process basis? On android it'd be a bit easier, presumably because you have an "app" view of things, it's not like looking at a process manager where an app could have multiple processes(ala Chrome) or other various background stuff. Apps also have some sort of sandboxing going on there don't they vs a traditional desktop app/process? Sort of like it was designed in for a new breed of OS?

                On Linux we have Flatpak/Snap/AppImage which I think can provide similar benefits, but until something like Fedora SilverBlue approach is more widely adopted, you'd still have inconsistency there for everything else non-desktop app related? I think cgroups is another way it can be approached, for narrowing/monitoring the scope of stuff like network traffic, I know that KDE has been focusing on this as an improvement for future iterations of Plasma so that desktop users get a better experience with System Monitor and other cases, but it's still going to requite some manual config if your app isn't supported by default. Android on the other hand, is all under one umbrella, there isn't really different competing standards or much in legacy to care about right? It's not catering to a server audience either, so much easier to deliver the better experience.

                GlassWire looks neat too, but from a quick glance, doesn't seem like it could support the network interface permissions? Only noticed a single network access on/off setting per app.

                But uhh yeah, what you want is probably doable, but supporting it might also presently require you to have a far more restricted amount of choice in what distro and software you use, like Android but without the popularity/ecosystem/wide-spread adoption, which probably has a fairly low amount of interest for anyone to care about such a demographic of linux desktop users?

                If you'd be more flexible with your expectations, perhaps just for GUI apps with say Flatpak it'd be more likely to see something. Or cgroup route if you're ok with it not being perfect and still perhaps requiring a little push for you to make whatever you're using compatible via some small configuration by hand.

                Comment


                • #9
                  Originally posted by Danny3 View Post
                  Here it goes my hope that somebody will port the AFWall+ firewall from Android
                  https://f-droid.org/en/packages/dev.ukanth.ufirewall/
                  To Linux and finally have a non-bullshit firewall to be easily configurable instead of stupid port-based firewalls.
                  AFWall on Android is just a frontend for its sandboxing system, not a true "firewall", so there isn't much to port as Linux does not have that (technically there is flatpak).

                  It's still hard to believe that when it comes to security I can configure in minutes the rules of the firewall (AFWall+ on Android and GlassWire on Windows), but on Linux I will have to spend days to do the same thing, which of course I don't.
                  Glasswire is just a frontend for Windows port-based firewall, so at the end of the day it is still using ports. It's just hiding the fact to the user and using profiles. If that's the only thing you actually need, Linux distros do that too, with GUIs even.

                  No wonder that most Linux distros don't come with any firewall whatsoever and very few people actually install a firewall and spend all that time to properly configure it.
                  What the fuck are you talking about? You can install GUI tools that let you set up a firewall on an application basis like firewall-config https://www.how2shout.com/how-to/how...-on-linux.html Even on Ubuntu.
                  Again this is a profile-based system, so it's still using ports in practice because that's the only thing it can do, but you will not see that.

                  You will see service/application names and enable or disable their access to the network.

                  What ports they need/use are written in the application profile that is shipped with its package, so when you install a service a new entry in the GUI will appear to manage it.

                  Also OpenSUSE has a Yast panel to do that (again with profiles), using the same firewalld backend.

                  Comment


                  • #10
                    Originally posted by eydee View Post
                    Still waiting for the Linux community to come up with *anything* that resembles a proper firewall. With that, things like this wouldn't even exist. 873rd port of OpenCandyCrush is more important though.
                    what is a "proper firewall" for you?

                    Comment

                    Working...
                    X