On Tue, 16 Jul 2019, Arturo Borrero Gonzalez wrote: > Hi there, > > as you may know, Debian 10 buster includes the iptables-nft utility by > default, > which is an iptables flavor that uses the nf_tables kernel subsystem. > Is intended to help people migrate from iptables to nftables. > > For the next release cycle I propose we move this default event further. > As of this email, iptables [0] is Priority: important and nftables [1] is > Priority: optional in both buster and bullseye. The important value means the > package gets installed by default in every Debian install.
As the upstream ufw developer, this makes since to me. > Also, I believe the days of using a low level tool for directly configuring > the > firewall may be gone, at least for desktop use cases. It seems the industry > more > or less agreed on using firewalld [2] as a wrapper for the system firewall. > There are plenty of system services that integrate with firewalld anyway [3]. > By the way, firewalld is using (or should be using) nftables by default at > this > point. > > This email contains 2 changes/proposals for Debian 11 bullseye: > > 1) switch priority values for iptables/nftables, i.e, make nftables Priority: > important and iptables Priority: optional Makes sense. > 2) introduce firewalld as the default firewalling wrapper in Debian, at least > in > desktop related tasksel tasks. I'm obviously biased, but anecdotally I have had quite a few people say disparaging things about firewalld, particularly from server admins. I'm not really in a position for people to sing firewalld's praises to me, so take that for what it is worth. IIRC, network-manager has a fair frontend for firewalld that could be nice for desktop users if Debian wants that tight integration. That said, I can say that the ufw packaging makes it so it stays out of the way for people who want to use other firewall applications. I encourage Debian in whatever choice is made to make sure that the experience degrades gracefully if someone chooses something other than the default. -- Email: ja...@strandboge.com IRC: jdstrand
