onefang said on Wed, 12 Jan 2022 23:49:39 +1000 >I've been using shorewall and fail2ban for a while now, but nftables is >soon replacing iptables, so it's time to consider some options.
I can't tell whether you're addressing the firewall on a single computer, or the firewall between your LAN and the Internet. If the former, now that https://www.tomsguide.com/news/router-attack-netusb-flaw , I'm going to replace the firewall functions of my Spectrum Cable Modem with an OpenBSD PF firewall. An excellent documentation set of PF is at https://www.tomsguide.com/news/router-attack-netusb-flaw , and there's an excellent sample firewall config at https://www.openbsd.org/faq/pf/filter.html#example . Having looked at pfSense, iptables, nftables, IPFire, Openwall, and OPNsense, I find plain old pf superior for a firewall appliance. If you need the same machine to be a DHCP server, I'd just install a BSD DHCP server on the same machine. If I wanted a DNS server on the firewall machine (I don't) instead of on one of my LAN machines (which I do), I'd install unbound and nsd on the BSD machine. ====== If you meant the firewall on one Linux machine, you obviously can't use the BSD-onlty pf. I've found iptables to be quite useable, and haven't yet tried nftables. I tried Shorewall and found it to add tremendous complication to iptables and it seems to outsmart itself when trying to do something out of the ordinary, so I just resorted to iptables. I haven't tried fail2ban, and would like to hear more about it. SteveT Steve Litt Spring 2021 featured book: Troubleshooting Techniques of the Successful Technologist http://www.troubleshooters.com/techniques _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng