Re: is nft running? how do I get info?

2023-04-25 Thread David Wright 
On Tue 25 Apr 2023 at 15:21:50 (+), Bonno Bloksma wrote:
> I consider not having nftable enabled by default in bookworm a bug, let me 
> explain why...
> 
> >> It seems the bookworm release comes with NO firewall solution enabled !
> >> Iptables is no longer installed by default 
> >> The nft service is NOT enabled by default.
> 
> > It seems like you missed reading the Release Notes:
> > 
> >   §2.2.6 Network filtering based on nftables framework by default
> 
> Ok, I was "talking" about bookworm, these are the release notes for Buster, 
> not even Bullseye. I was not interested in nft at that time and probably 
> glanced over it. 
> I can understand nft not being enabled by default in Buster, we still had a 
> fully functional iptables at that point, I guess most of us still used it at 
> that time.

Those (ie you) were the people for whom the Release Notes were written.

> > and the reference there to https://wiki.debian.org/nftables which has its § 
> > "nftables in Debian the easy way".
> This still talks about installing nftables, that is also very old.
> 
> But yes, I must have missed it because I never enabled the nftables "service".

That's what I thought. But it's only old because this was all
documented two releases ago.

> What I am talking about now is that iptables is gone (by default).

Yes, they wrote "nftables provides a full replacement for iptables", …
"This change is in line with what other major Linux distributions are doing".
And the wiki: "the iptables utility may not be installed in a system by 
default."

If you were an iptables user, you'd have found in NEWS.Debian:

  "iptables is no longer Priority: important. This means it is not
  installed by default in every system. It has been replaced by nftables"

and there was advice on tools for converting iptables into nftables
configurations, spelled out in README.Debian.

> There is also a default nftables.conf file, but ... it is almost useless and 
> even misleading because it never gets used.
> And unless you make an obvious error and NOT expect your service(s) to work 
> why would you be surprised when the (non existing) firewall enables the 
> services to work as they should?

AFAICT all your complaints are answered in the wiki and the iptables
documentation, and changes really ought not to come as a surprise.

> In all the 20+ years I have been writing firewalls I have always written them 
> by starting from a closed firewall to open just the right services/ports. I 
> would never test if something worked for which I never opened the 
> corresponding port, why would I? I would test if something worked for which I 
> had supposedly opened the correct network port.
> Also in those days with ipchains and iptables there were scripts and if there 
> was an error I would see it when testing the script. 
> 
> If I test the /etc/nftables.conf file as a script it will even work 
> flawlessly with no errors. I can even use the nft list ruleset command 
> afterwards to see I have a working firewall.
> Unfortunately that works only until the next reboot, but why would I think so?
> 
> Why, now that we are at bookworm, is the nftables service not enabled by 
> default? With a default ruleset that pretty much leaves it all open but is a 
> starting point.
> If we do not want that, then at least the default config should contain a 
> warning about first enabling the service or scripting something to have it 
> working (after a reboot).
> 
> I think this is the first time I have come across something in Debian that 
> after being installed by default does nothing, even when provided with a 
> valid config file at the proper location.
> I consider that a bug.

Debates have raged in the past about whether services should be
started automatically just because they have been installed.
My recollection is that is was unix old-timers who maintained that
they ought not to be. And …

> Here is something similar.
> Consider opening your door with a key. Every time you open the door with the 
> key it opens. All is well, you bought the cylinder and key for the lock at a 
> very good locksmith. You told him you had been installing cylinders In doors 
> for years and you were able to insert this cylinder in the door.
> Until sometime later you find out the door never locks, it is always open, 
> that is why you could always enter.
> It turns out you first need to enable the cylinder before it did something 
> useful with the key provided.
> That was something completely new, you never heard of it before, neither do I 
> though. ;-)

And the opposing view, a more likely scenario: you have new locks
fitted. Unfortunately, the first time you go out, you pocket your
keys as usual and walk out, closing the door behind you. Later you
find you hadn't yet fitted the new key onto your keyring…

Cheers,
David.

Re: is nft running? how do I get info?

2023-04-25 Thread songbird 
Bonno Bloksma wrote:
...
> Why, now that we are at bookworm, is the nftables service not enabled by 
> default? With a default ruleset that pretty much leaves it all open but is a 
> starting point.
> If we do not want that, then at least the default config should contain a 
> warning about first enabling the service or scripting something to have it 
> working (after a reboot).
>
> I think this is the first time I have come across something in Debian that 
> after being installed by default does nothing, even when provided with a 
> valid config file at the proper location.
> I consider that a bug.
>
> Here is something similar.
> Consider opening your door with a key. Every time you open the door with the 
> key it opens. All is well, you bought the cylinder and key for the lock at a 
> very good locksmith. You told him you had been installing cylinders In doors 
> for years and you were able to insert this cylinder in the door.
> Until sometime later you find out the door never locks, it is always open, 
> that is why you could always enter.
> It turns out you first need to enable the cylinder before it did something 
> useful with the key provided.
> That was something completely new, you never heard of it before, neither do I 
> though. ;-)
>
> Bonno Bloksma

  not everyone wants a firewall installed on their system
(non-desktop users or embedded systems being two examples
that easily come to mind).

  i think for most desktop installs there should be a minimal
firewall installed but then you get into the issue of which one?

  personally i run ufw.


  songbird

RE: is nft running? how do I get info?

2023-04-25 Thread Bonno Bloksma 
Hi David and others,

I consider not having nftable enabled by default in bookworm a bug, let me 
explain why...


>> It seems the bookworm release comes with NO firewall solution enabled !
>> Iptables is no longer installed by default 
>> The nft service is NOT enabled by default.

> It seems like you missed reading the Release Notes:
> 
>   §2.2.6 Network filtering based on nftables framework by default

Ok, I was "talking" about bookworm, these are the release notes for Buster, not 
even Bullseye. I was not interested in nft at that time and probably glanced 
over it. 
I can understand nft not being enabled by default in Buster, we still had a 
fully functional iptables at that point, I guess most of us still used it at 
that time.

> and the reference there to https://wiki.debian.org/nftables which has its § 
> "nftables in Debian the easy way".
This still talks about installing nftables, that is also very old.

But yes, I must have missed it because I never enabled the nftables "service".

What I am talking about now is that iptables is gone (by default). There is 
also a default nftables.conf file, but ... it is almost useless and even 
misleading because it never gets used.
And unless you make an obvious error and NOT expect your service(s) to work why 
would you be surprised when the (non existing) firewall enables the services to 
work as they should?

In all the 20+ years I have been writing firewalls I have always written them 
by starting from a closed firewall to open just the right services/ports. I 
would never test if something worked for which I never opened the corresponding 
port, why would I? I would test if something worked for which I had supposedly 
opened the correct network port.
Also in those days with ipchains and iptables there were scripts and if there 
was an error I would see it when testing the script. 

If I test the /etc/nftables.conf file as a script it will even work flawlessly 
with no errors. I can even use the nft list ruleset command afterwards to see I 
have a working firewall.
Unfortunately that works only until the next reboot, but why would I think so?

Why, now that we are at bookworm, is the nftables service not enabled by 
default? With a default ruleset that pretty much leaves it all open but is a 
starting point.
If we do not want that, then at least the default config should contain a 
warning about first enabling the service or scripting something to have it 
working (after a reboot).

I think this is the first time I have come across something in Debian that 
after being installed by default does nothing, even when provided with a valid 
config file at the proper location.
I consider that a bug.

Here is something similar.
Consider opening your door with a key. Every time you open the door with the 
key it opens. All is well, you bought the cylinder and key for the lock at a 
very good locksmith. You told him you had been installing cylinders In doors 
for years and you were able to insert this cylinder in the door.
Until sometime later you find out the door never locks, it is always open, that 
is why you could always enter.
It turns out you first need to enable the cylinder before it did something 
useful with the key provided.
That was something completely new, you never heard of it before, neither do I 
though. ;-)

Bonno Bloksma

Re: is nft running? how do I get info?

2023-04-25 Thread David Wright 
On Tue 25 Apr 2023 at 08:59:23 (+), Bonno Bloksma wrote:
> 
> Did I discover a bug in the bookwork release? I think we can argue both for 
> and against but I am calling it a bug.
> 
> It seems the bookworm release comes with NO firewall solution enabled !
> Iptables is no longer installed by default
> The nft service is NOT enabled by default.
> 
> After searching some more I found "Enable and start the nftables service by":
> sudo systemctl enable nftables 
> sudo systemctl start nftables.
> Looking at the sudo stuff it must have been written for Ubuntu. And indeed, I 
> now have a nft service that will by default load the /etc/nftables.conf file 
> :-)
> The start command in itself is not needed, it just starts the firewall right 
> away.
> 
> I do NOT understand why it is not enabled by default with the default config 
> as it is.
> The firewall in itself is open enough that it does not block stuff, but it 
> does allow someone to build upon or to replace it with a proper firewall.
> 
> There probably was a discussion about it sometime in the past and this is 
> what "they" came up with.
> Still, I think there should be a better way, have a default (semi) open 
> firewall and have it enabled by default. 
> 
> Now all I need to do is go to my existing Buster installs and enable the 
> firewall. It seems after I changed the iptables script to a nft config I have 
> been running my buster machines with a proper nft config that NEVER got 
> loaded. :-(

It seems like you missed reading the Release Notes:

  §2.2.6 Network filtering based on nftables framework by default

and the reference there to https://wiki.debian.org/nftables
which has its § "nftables in Debian the easy way".

Cheers,
David.

Re: is nft running? how do I get info?

2023-04-25 Thread Greg Wooledge 
On Tue, Apr 25, 2023 at 02:11:45PM +0500, Stanislav Vlasov wrote:
> And, if you use 'su' command, please use it right:
> su -

There are many "right" ways to elevate privileges.  See
 for more options.

Re: is nft running? how do I get info?

2023-04-25 Thread Anssi Saari 
Bonno Bloksma  writes:

> Also trying command completion with the nft, or even nf, show no
> results. Using just the n for completion gives just the networking
> service.

It seems others covered your other issues so I'll just comment on this.

Maybe your command completion is just bad? I can't complete service
names either, with bash. In zsh completion works out of the box and
that's one reason I use it, instead of bash.

RE: is nft running? how do I get info?

2023-04-25 Thread Bonno Bloksma 
Hi All,

Did I discover a bug in the bookwork release? I think we can argue both for and 
against but I am calling it a bug.

It seems the bookworm release comes with NO firewall solution enabled !
Iptables is no longer installed by default
The nft service is NOT enabled by default.

After searching some more I found "Enable and start the nftables service by":
sudo systemctl enable nftables 
sudo systemctl start nftables.
Looking at the sudo stuff it must have been written for Ubuntu. And indeed, I 
now have a nft service that will by default load the /etc/nftables.conf file :-)
The start command in itself is not needed, it just starts the firewall right 
away.

I do NOT understand why it is not enabled by default with the default config as 
it is.
The firewall in itself is open enough that it does not block stuff, but it does 
allow someone to build upon or to replace it with a proper firewall.

There probably was a discussion about it sometime in the past and this is what 
"they" came up with.
Still, I think there should be a better way, have a default (semi) open 
firewall and have it enabled by default. 

Now all I need to do is go to my existing Buster installs and enable the 
firewall. It seems after I changed the iptables script to a nft config I have 
been running my buster machines with a proper nft config that NEVER got loaded. 
:-(

Bonno Bloksma

RE: is nft running? how do I get info?

2023-04-25 Thread Bonno Bloksma 
Hi Dan,

>> I thought I understood it all and as far as I know I have a working config. 
>> But just trying to get a listing of the running config shows NOTHING.
>> linbookwormtest:~# nft list ruleset
>> linbookwormtest:~#
> 
> That says that you have no firewall set up.
That was my conclusion as well. :-(

> All Linux kernel firewalls are implemented via nft, even if you are using 
> iptables or ufw or some other system.
Ok.

> Try this:
> 
> $ lsmod | grep nft

Well I get :
linbookwormtest:~# lsmod | grep nft
linbookwormtest:~#

Another NOTHING. And yes, lsmod itself does list the loaded modules.

> It's not a matter of running, it's a matter of whether rules have been loaded.
Probably not, but why not?

> Now whether I have those SSH lines enabled or disable them makes no 
> difference, I can still logon using ssh. :-(
> 
> How, how do I continue? It isn't even working on a clean install of Debian 
> bookworm with the default config file.

> Try:
> # nft -f /etc/nftables.conf
> # nft list ruleset

Ok, that works. Now I get a firewall listing. So the config never gets loaded. 
Weird.

> I suspect you just don't have anything loading the rules.
But... should that not be system when it sees a executable nftables.conf file? 
That is de default Debian setup in which I have npt changed anything.
If that does not work then the Debian default does not work. I do not trhink 
there will be a lot of people who want to START by creating system service 
files just to get the firewall up and running each time.

With the old stuff I knew I had to execute a script loading the rules, that was 
normal. 
With nft everything is build in and the config file is executable. Why ?

Bonno

Re: is nft running? how do I get info?

2023-04-25 Thread Christoph Brinkhaus 
Am Tue, Apr 25, 2023 at 07:58:56AM + schrieb Bonno Bloksma:
Hi Bonno,

> Hi Anssi,
> 
> >> There is nothing in the journal about nft
> >> linbookwormtest:~#journalctl -t nft -- Journal begins at Mon
> >> 2023-03-27 13:07:50 CEST, ends at Mon 2023-04-24 12:18:07 CEST.
> >> -- -- No entries --
> 
> > Debian's nftables package includes a systemd service to run
> > nftables. You might want to run systemctl status nftables first
> > and then enable and to start the service.
> Unfortunately nft is not a service. Trying the service command with
> nft gives an error.  linbookwormtest:~# service nft status Unit
> nft.service could not be found.  linbookwormtest:~#

The service is named nftables. This is the name which must be applied
to enable the service and for digging in the logs. nft is used to
manage the filter. Please see 
https://www.debian.org/doc/manuals/debian-handbook/sect.firewall-packet-filtering.en.html

Just as a reference the output from my system:


# systemctl status nftables
● nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor preset: 
enabled)
Active: active (exited) since Tue 2023-04-25 10:28:37 CEST; 26min ago
Docs: man:nft(8)
http://wiki.nftables.org
Process: 226 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, 
status=0/SUCCESS)
Main PID: 226 (code=exited,
status=0/SUCCESS)
CPU: 11ms

Apr 25 10:28:37 lenovo systemd[1]: Finished nftables.
Warning: journal has been rotated since unit was started, output may be
incomplete.

> Also trying command completion with the nft, or even nf, show no
> results. Using just the n for completion gives just the networking
> service.
> 
> > I wonder how you used iptables? I always used a script for that
> > but I had to run it too for changes...
> I allways had a script too. I had it hooked in
> /etc/network/interfaces via either a pre-up or post-up rule
> depending if there was a fixed ip or a dhcp line in the interfaces
> file.
> 
> A default Debian install has an executable /etc/nftables.conf file.
This configuration is started by systemd with 
nft -f /etc/nftables.conf. The default file does no filtering at all.

> If nothing is looking at that file then what is the "normal" wat to
> start the firewall?  Do I hook it up via one of the old /etc/init.d/
> scripts? Do I create a script in one of the /etc/rc?.d/ directories?
> I am pretty sure they don't expect every novice to start writing
> systemd service files? I don't even know where they are, I never
> touch them, too much can go wrong by not understanding how it all
> connects.  If I install dhcp it comes with default config files. If
> I change them then THAT config gets loaded.
> 
> If Debian does NOTHING with that nft config file then why is it
> there?  Is this a bug? 
Please enable the firewall by # systemctl enable nftables.service.
Then it should work.

Kind regards,
Christoph
-- 
Ist die Katze gesund
schmeckt sie dem Hund.


signature.asc
Description: PGP signature

Re: is nft running? how do I get info?

2023-04-25 Thread Stanislav Vlasov 
вт, 25 апр. 2023 г. в 13:32, Bonno Bloksma :
> > Debian's nftables package includes a systemd service to run nftables. You 
> > might want to run systemctl status nftables first and then enable and to 
> > start the service.
> Unfortunately nft is not a service. Trying the service command with nft gives 
> an error.
> linbookwormtest:~# service nft status
> Unit nft.service could not be found.
> linbookwormtest:~#

$ sudo systemctl status nftables.service
● nftables.service - nftables
 Loaded: loaded (/lib/systemd/system/nftables.service; disabled;
vendor preset: enabled)
 Active: inactive (dead)
   Docs: man:nft(8)
 http://wiki.nftables.org

This is not true service, but only loader for /etc/nftables.conf rules
at boot, if enabled.

> Also trying command completion with the nft, or even nf, show no results. 
> Using just the n for completion gives just the networking service.

nftables: /usr/sbin/nft
This is package, which can be installed or not.
And, if you use 'su' command, please use it right:
su -

> > I wonder how you used iptables? I always used a script for that but I had 
> > to run it too for changes...
> I allways had a script too. I had it hooked in /etc/network/interfaces via 
> either a pre-up or post-up rule depending if there was a fixed ip or a dhcp 
> line in the interfaces file.

> A default Debian install has an executable /etc/nftables.conf file. If 
> nothing is looking at that file then what is the "normal" wat to start the 
> firewall?

see above

> Do I hook it up via one of the old /etc/init.d/ scripts? Do I create a script 
> in one of the /etc/rc?.d/ directories?

No. You may write some scripts in /etc/network subdirs, if you REALLY
need custom rules at interface up or down.

> Is this a bug?

No. But docs need to be read.
/usr/share/doc/nftables/README.Debian - good starting point.

-- 
Stanislav

RE: is nft running? how do I get info?

2023-04-25 Thread Bonno Bloksma 
Hi Anssi,

>> There is nothing in the journal about nft 
>> linbookwormtest:~#journalctl -t nft
>> -- Journal begins at Mon 2023-03-27 13:07:50 CEST, ends at Mon 
>> 2023-04-24 12:18:07 CEST. --
>> -- No entries --

> Debian's nftables package includes a systemd service to run nftables. You 
> might want to run systemctl status nftables first and then enable and to 
> start the service.
Unfortunately nft is not a service. Trying the service command with nft gives 
an error.
linbookwormtest:~# service nft status
Unit nft.service could not be found.
linbookwormtest:~#

Also trying command completion with the nft, or even nf, show no results. Using 
just the n for completion gives just the networking service.

> I wonder how you used iptables? I always used a script for that but I had to 
> run it too for changes...
I allways had a script too. I had it hooked in /etc/network/interfaces via 
either a pre-up or post-up rule depending if there was a fixed ip or a dhcp 
line in the interfaces file.

A default Debian install has an executable /etc/nftables.conf file. If nothing 
is looking at that file then what is the "normal" wat to start the firewall? 
Do I hook it up via one of the old /etc/init.d/ scripts? Do I create a script 
in one of the /etc/rc?.d/ directories?
I am pretty sure they don't expect every novice to start writing systemd 
service files? I don't even know where they are, I never touch them, too much 
can go wrong by not understanding how it all connects.
If I install dhcp it comes with default config files. If I change them then 
THAT config gets loaded.

If Debian does NOTHING with that nft config file then why is it there?
Is this a bug? 

Bonno Bloksma

Re: is nft running? how do I get info?

2023-04-24 Thread Anssi Saari 
Bonno Bloksma  writes:

> Hi,
>
> After years of using ipchains and later iptables as firewall I am now trying 
> to use nft. :-)
>
> I thought I understood it all and as far as I know I have a working config. 
> But just trying to get a listing of the running config shows NOTHING.
> linbookwormtest:~# nft list ruleset
> linbookwormtest:~#
>
> There is nothing in the journal about nft
> linbookwormtest:~# journalctl -t nft
> -- Journal begins at Mon 2023-03-27 13:07:50 CEST, ends at Mon 2023-04-24 
> 12:18:07 CEST. --
> -- No entries --

Debian's nftables package includes a systemd service to run
nftables. You might want to run systemctl status nftables first and
then enable and to start the service.

I wonder how you used iptables? I always used a script for that but I
had to run it too for changes...

Re: is nft running? how do I get info?

2023-04-24 Thread Dan Ritter 
Bonno Bloksma wrote: 
> Hi,
> 
> After years of using ipchains and later iptables as firewall I am now trying 
> to use nft. :-)
> 
> I thought I understood it all and as far as I know I have a working config. 
> But just trying to get a listing of the running config shows NOTHING.
> linbookwormtest:~# nft list ruleset
> linbookwormtest:~#

That says that you have no firewall set up.

All Linux kernel firewalls are implemented via nft, even if you are
using iptables or ufw or some other system.

> 
> There is nothing in the journal about nft
> linbookwormtest:~# journalctl -t nft
> -- Journal begins at Mon 2023-03-27 13:07:50 CEST, ends at Mon 2023-04-24 
> 12:18:07 CEST. --
> -- No entries --

Try this:

$ lsmod | grep nft

I get:

nft_chain_nat  16384  3
nf_nat 57344  2 nft_chain_nat,xt_MASQUERADE
nft_compat 20480  25
x_tables   53248  13
xt_conntrack,nft_compat,xt_multiport,xt_state,xt_tcpudp,xt_tcpmss,xt_addrtype,xt_CHECKSUM,xt_recent,xt_set,ipt_REJECT,xt_MASQUERADE,ip6t_REJECT
nft_counter16384  52
nf_tables 253952  153
nft_compat,nft_counter,nft_chain_nat
nfnetlink  20480  5
nft_compat,nf_conntrack_netlink,nf_tables,ip_set


> So nothing, not even a warning or an error. So how do I know if nft is 
> running at all? I am guessing it does NOT run because.
> Even using just the default ruleset in /etc/nftables.conf shows nothing in 
> the logs. It should at least show something right?

It's not a matter of running, it's a matter of whether rules
have been loaded.


> Now whether I have those SSH lines enabled or disable them makes no 
> difference, I can still logon using ssh. :-(
> 
> How, how do I continue? It isn't even working on a clean install of Debian 
> bookworm with the default config file.


Try:

# nft -f /etc/nftables.conf
# nft list ruleset


I suspect you just don't have anything loading the rules.

-dsr-

is nft running? how do I get info?

2023-04-24 Thread Bonno Bloksma 
Hi,

After years of using ipchains and later iptables as firewall I am now trying to 
use nft. :-)

I thought I understood it all and as far as I know I have a working config. But 
just trying to get a listing of the running config shows NOTHING.
linbookwormtest:~# nft list ruleset
linbookwormtest:~#

There is nothing in the journal about nft
linbookwormtest:~# journalctl -t nft
-- Journal begins at Mon 2023-03-27 13:07:50 CEST, ends at Mon 2023-04-24 
12:18:07 CEST. --
-- No entries --

And on an older server where I still have rsyslog installed there is also 
nothing in syslog. But that is no surprise when the journal database has 
nothing. ;-)

So nothing, not even a warning or an error. So how do I know if nft is running 
at all? I am guessing it does NOT run because.
Even using just the default ruleset in /etc/nftables.conf shows nothing in the 
logs. It should at least show something right?

But even more telling... in my modified ruleset I have:

--
...
table inet firewall {

chain inbound_ipv4 {
# accepting ping (icmp-echo-request) for diagnostic purposes, within a 
certain rate limit:
icmp type echo-request limit rate 5/second accept
}
chain inbound_ipv6 {
# accept neighbour discovery otherwise connectivity breaks
#
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert 
} accept

# accepting ping (icmpv6-echo-request) for diagnostic purposes,  within 
a certain rate limit:
# icmpv6 type echo-request limit rate 5/second accept
}

chain inbound {
# By default, drop all traffic unless it meets a filter criteria 
specified by the rules that follow below.
type filter hook input priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# Allow loopback traffic.
iifname lo accept

# Jump to chain according to layer 3 protocol using a verdict map
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }

# Allow SSH on port TCP/22 for IPv4 and IPv6.
tcp dport { 22 } accept
...
--

Now whether I have those SSH lines enabled or disable them makes no difference, 
I can still logon using ssh. :-(

How, how do I continue? It isn't even working on a clean install of Debian 
bookworm with the default config file.

Bonno Bloksma