On 17 May 2015 at 18:31, Paul Rogers <[email protected]> wrote:
> > I'm about to build a new firewall for a gateway box and I'm tempted by > > nftables. It's interesting for two reasons: it's the next generation > > GNU/Linux firewall, and alone it can replace iptables, ip6tables, > > arptables, and ebtables. > > > > Has anybody used nftables and have anything to report (negative or > > positive)? I saw mention of it on one of these lists just over a year > > ago which linked to a useful website. I had already found the website > > the link pointed to (via google), and it's here http://is.gd/hP4WX0 if > > anybody is interested. > > Yes, I can see why it's attractive from an architecture point of view. > But if the details of the IP protocols are being pulled out of the > code, one must be able to understand that one has created firewall > rules that cover all the attack vectors. The other thing is, I think > for something so critical anymore as a firewall, and in comparison to > something with such a history as iptables, I'll be waiting for a couple > stable releases at least. > Maybe not *so* much of a history, ipchains -> iptables -> nftables, although I accept that the differences between the first two are not as great as between iptables and nftables. Richard
-- http://lists.linuxfromscratch.org/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
