Hi, I'm replying to your questions but I have also other questions related to this fresh transition...
On Tue, 16 Jul 2019, Arturo Borrero Gonzalez wrote: > as you may know, Debian 10 buster includes the iptables-nft utility by > default, > which is an iptables flavor that uses the nf_tables kernel subsystem. > Is intended to help people migrate from iptables to nftables. It is intended that /proc/net/ip_tables_names and /proc/net/ip6_tables_names is always empty when you use iptables-nft and thus nf_tables under the hood? This is breaking fwbuilder at least: https://github.com/fwbuilder/fwbuilder/issues/88 > Also, I believe the days of using a low level tool for directly configuring > the > firewall may be gone, at least for desktop use cases. It seems the industry > more > or less agreed on using firewalld [2] as a wrapper for the system firewall. What would/should Debian recommend to configure the firewall on the server case ? I was recommending creating firewall rules with fwbuilder up to now (see https://debian-handbook.info/browse/stable/sect.firewall-packet-filtering.html) but while it's still maintained, it has not had any recent release and still hasn't native nftables support (https://github.com/fwbuilder/fwbuilder/issues/17). > This email contains 2 changes/proposals for Debian 11 bullseye: > > 1) switch priority values for iptables/nftables, i.e, make nftables Priority: > important and iptables Priority: optional Ack. > 2) introduce firewalld as the default firewalling wrapper in Debian, at least > in > desktop related tasksel tasks. No objection. I think it's high time we have some default firewall installed in particular with IPv6 getting more widely deployed... The other desktop firewall that I know is "ufw" but it doesn't seem to have any momentum behind it. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
