Hi there, as you may know, Debian 10 buster includes the iptables-nft utility by default, which is an iptables flavor that uses the nf_tables kernel subsystem. Is intended to help people migrate from iptables to nftables.
For the next release cycle I propose we move this default event further. As of this email, iptables [0] is Priority: important and nftables [1] is Priority: optional in both buster and bullseye. The important value means the package gets installed by default in every Debian install. Also, I believe the days of using a low level tool for directly configuring the firewall may be gone, at least for desktop use cases. It seems the industry more or less agreed on using firewalld [2] as a wrapper for the system firewall. There are plenty of system services that integrate with firewalld anyway [3]. By the way, firewalld is using (or should be using) nftables by default at this point. This email contains 2 changes/proposals for Debian 11 bullseye: 1) switch priority values for iptables/nftables, i.e, make nftables Priority: important and iptables Priority: optional 2) introduce firewalld as the default firewalling wrapper in Debian, at least in desktop related tasksel tasks. For changes in 2) I'm looking forward to have consensus, and will need others to do changes themselves. I can do changes in 1) myself, and will probably do very soon. regards [0] https://tracker.debian.org/pkg/iptables [1] https://tracker.debian.org/pkg/nftables [2] https://tracker.debian.org/pkg/firewalld [3] disclaimer: I don't use firewalld myself
