Pat Suwalski wrote:
> Package: sshguard
>
> Upon upgrading to buster, sshguard in all of my deployments has stopped
> working.
>
> I suspect this line in the Debian changelog:
>
> * debian/sshguard.service, Use nft instead iptables.
>
> There doesn't seem to be any obvious way to change this back to iptables.
Debian 10 defaults to nftables, and iptables(8) is a backcompat wrapper:
bash5$ mmdebstrap --quiet buster /dev/null --include=iptables
--customize-hook='chroot $1 readlink -f /usr/sbin/iptables'
/usr/sbin/xtables-nft-multi
sshguard should Just Work even if your main firewall is still using xtables
directly.
Linux will happily operate with some firewall rules in xtables, and some
firewall rules in nft --- but it can be VERY hard to debug!
If you want iptables(8) to use xtables instead of nft,
configure it via update-alternatives.
If you want sshguard to use ipset(8) or iptables(8) instead of nft(8),
change this line in /etc/sshguard/sshguard.conf:
BACKEND="/usr/lib/x86_64-linux-gnu/sshg-fw-nft-sets"
