On 7/16/19 11:57 AM, Raphael Hertzog wrote: > Hi, > > I'm replying to your questions but I have also other questions related to > this fresh transition... > > On Tue, 16 Jul 2019, Arturo Borrero Gonzalez wrote: >> as you may know, Debian 10 buster includes the iptables-nft utility by >> default, >> which is an iptables flavor that uses the nf_tables kernel subsystem. >> Is intended to help people migrate from iptables to nftables. > > It is intended that /proc/net/ip_tables_names and > /proc/net/ip6_tables_names is always empty when you use iptables-nft and > thus nf_tables under the hood? > > This is breaking fwbuilder at least: > https://github.com/fwbuilder/fwbuilder/issues/88 >
yes, nf_tables does not expose that data into /proc/, it uses a netlink API which is a better way of interacting with it. >> Also, I believe the days of using a low level tool for directly configuring >> the >> firewall may be gone, at least for desktop use cases. It seems the industry >> more >> or less agreed on using firewalld [2] as a wrapper for the system firewall. > > What would/should Debian recommend to configure the firewall on the server > case ? > > I was recommending creating firewall rules with fwbuilder up to now (see > https://debian-handbook.info/browse/stable/sect.firewall-packet-filtering.html) The reset_iptables() functions you mentioned in the above issue don't even replace the rules in an atomic fashion, which is not a good way to work with firewall rules, specially for wrappers. firewalld can be useful in server usecases as well. Here is libvirt using firewalld (and nftables): https://libvirt.org/firewall.html#fw-firewalld-and-virtual-network-driver This is all to say that firewalld may be way better that fwbuilder as a general recommendation.