Firewall mess

Kernels & Hardware, configuring network, installing services

Firewall mess

Postby questlinq » 2019-10-23 19:41

Hello,

Not so long ago, I was asking about firewall in Debian 10. I'm installing Debian (Buster) minimal for server use only - no GUI.
In documentation I can read - Debian Buster uses the nftables framework by default. So, why it needs to be installed then?

Also, when I install Firewalld to manage nf_tables - it doesn't install the package (nf_tables) as a dependency if nf_tables isn't already installed - yet, outside/inside network gets cut-off.
I'm so confused with this firewall issue that I'm thinking to move away from Debian.
questlinq
 
Posts: 50
Joined: 2017-09-19 08:51

Re: Firewall mess

Postby andre@home » 2019-10-23 22:00

Does this help you, an example to make a start?
https://linuxandcaffeine.com/setup-a-si ... -nftables/
andre@home
 
Posts: 347
Joined: 2011-10-02 08:00

Re: Firewall mess

Postby Deb-fan » 2019-10-24 07:12

Just like anything else gnu/Linux-ish you have plenty of options and no shortage of documentation available online. Sure nftables is covered (or could choose something else, ie: the ufw (uncomplicated firewall) cli option. If someone opts for a bare minimum install then it's their responsibility to set it up and configure it. Clearly comes with the territory, making it work is up to you.
Deb-fan
 
Posts: 445
Joined: 2012-08-14 12:27

Re: Firewall mess

Postby Head_on_a_Stick » 2019-10-24 17:14

questlinq wrote:In documentation I can read - Debian Buster uses the nftables framework by default. So, why it needs to be installed then?

Because the stock setup uses iptables configuration and an nftables backend. The nftables package is required if you want to use the native nftables configuration.
Don't break DebianHow to report bugs

SharpBang GNU/Linux — a pre-configured Openbox/Tint2 desktop running on Debian stable
User avatar
Head_on_a_Stick
 
Posts: 10613
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Firewall mess

Postby questlinq » 2019-10-24 18:31

Because the stock setup uses iptables configuration and an nftables backend. The nftables package is required if you want to use the native nftables configuration.


1. Do I need to issue following commands before installing nftables?

# update-alternatives --set iptables /usr/sbin/iptables-nft
# update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
# update-alternatives --set arptables /usr/sbin/arptables-nft
# update-alternatives --set ebtables /usr/sbin/ebtables-nft

2. I install nftables?

3. Do I delete any files/rules of stock firewall?
questlinq
 
Posts: 50
Joined: 2017-09-19 08:51

Re: Firewall mess

Postby Head_on_a_Stick » 2019-10-26 17:27

questlinq wrote:1. Do I need to issue following commands before installing nftables?

# update-alternatives --set iptables /usr/sbin/iptables-nft
# update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
# update-alternatives --set arptables /usr/sbin/arptables-nft
# update-alternatives --set ebtables /usr/sbin/ebtables-nft

Don't mess around with the --set option, use this instead:
Code: Select all
# update-alternatives --config iptables

And the same for the rest. There is also galternatives if you prefer GUIs.

questlinq wrote:2. I install nftables?

No, you only need that if you want to use nftable's native syntax instead of Debian's abstraction. I think that would be a better idea but some people will want to stick with their old configurations.

questlinq wrote:3. Do I delete any files/rules of stock firewall?

Not if you want to still use them.
Don't break DebianHow to report bugs

SharpBang GNU/Linux — a pre-configured Openbox/Tint2 desktop running on Debian stable
User avatar
Head_on_a_Stick
 
Posts: 10613
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Firewall mess

Postby hkoster1 » 2019-10-27 09:57

A confusing firewall mess indeed, caused by the inaccurate claim that Debian Buster is using nftables
by default. It isn't, witness the fact that the nftables package isn't even installed by default.

There may be good reasons for having this "halfway house" construction of an nftables backend to iptables,
but it simply isn't nftables (native) by default.
Real Debian users don't do chat...
hkoster1
 
Posts: 1269
Joined: 2006-12-18 10:10

Re: Firewall mess

Postby Head_on_a_Stick » 2019-10-27 10:37

hkoster1 wrote:the inaccurate claim that Debian Buster is using nftables
by default. It isn't

Erm, so the Release Notes are lying?

https://www.debian.org/releases/stable/ ... l#nftables
Don't break DebianHow to report bugs

SharpBang GNU/Linux — a pre-configured Openbox/Tint2 desktop running on Debian stable
User avatar
Head_on_a_Stick
 
Posts: 10613
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Firewall mess

Postby hkoster1 » 2019-10-27 13:43

Not lying, erm, but inaccurate and confusing. :wink:
Real Debian users don't do chat...
hkoster1
 
Posts: 1269
Joined: 2006-12-18 10:10

Re: Firewall mess

Postby CwF » 2019-10-27 13:57

hkoster1 wrote:"halfway house"

Exactly right.
Not everything in buster works without iptables.
CwF
 
Posts: 502
Joined: 2018-06-20 15:16

Re: Firewall mess

Postby p.H » 2019-10-29 13:23

Head_on_a_Stick wrote:so the Release Notes are lying?

hkoster1 wrote:Not lying, erm, but inaccurate and confusing

Maybe confusing, but totally accurate. The important word is "framework".
p.H
 
Posts: 1160
Joined: 2017-09-17 07:12

Re: Firewall mess

Postby questlinq » 2019-11-08 16:47

All I can see is that iptables are installed by default and not nftables.

What's strange to me ..

1. I remove iptables.

2, I install nftables instead of iptables.

3. I install firewalld to manage nftables - why iptables get installed back as dependancy of firewalld, when firewalld can manage nftables on its own?
questlinq
 
Posts: 50
Joined: 2017-09-19 08:51

Re: Firewall mess

Postby andre@home » 2019-11-08 17:44

https://wiki.debian.org/nftables
This the default.
Should I build a firewall using a nftables?
Yes. Building new firewalls on top of iptables is discouraged.

Should I replace an iptables firewall with a nftables one?
Yes, nftables is the replacement for iptables. There are some tools in place to ease in this task.

Please read: https://wiki.nftables.org/wiki-nftables ... o_nftables

Why a new framework?
The previous framework (iptables) has several problems hard to address, regarding scalability, performance, code maintenance, etc..

What are the major differences?
In iptables there are several tables (filter, nat) and chains (FORWARD, INPUT...) by default. In nftables, there are no default tables/chains.

Also, in iptables you only have one target per rule (-j ACCEPT, -j LOG ...). In nftables, you can perform several actions in one single rule.
nftables includes built-in data sets capabilities. In iptables this is not possible, and there is a separated tool: ?ipset.
In the iptables framework there are tools per family: iptables, ip6tables, arptables, ebtables. Now, nftables allows you to manage all families in one single CLI tool.
This new framework features a new linux kernel subsystem, known as nf_tables. The new engine mechanism is inspired by BPF-like systems, with a set of basic expressions, which can be combined to build complex filtering rules.

Should I mix nftables and iptables/ebtables/arptables rulesets?
No, unless you know what you are doing.
andre@home
 
Posts: 347
Joined: 2011-10-02 08:00

Re: Firewall mess

Postby questlinq » 2019-11-08 19:26

@andre@home

Thank you for your detailed explanation. But, this still doesn't give any answer to my 1, 2, 3 points that were presented earlier.
questlinq
 
Posts: 50
Joined: 2017-09-19 08:51

Re: Firewall mess

Postby andre@home » 2019-11-08 21:32

We cannot check how you "made the mess" or "it happened to you".... so it is virtually impossible to form a good opinion.
Normally the complete removal and reinstall of hte right package should do the job, but if something damaged irreversibly, you may have a problem.
Do you have a spare disk to check it with a clean install?
Old SATA disks are so cheap or you can get one from someone for free, 100-300GB is more than enough for this work.
Sometimes I have that too, you think you did it the right ways but at the end you find out that this was not completely true, forgot something or....
My experience is that I learn in this way faster and can check whether the problem may be reproducible, saves often a lot of time and frustration..
Give it a thought.
Or you may have luck that a very experienced person may know the solution ....
andre@home
 
Posts: 347
Joined: 2011-10-02 08:00


Return to System configuration

Who is online

Users browsing this forum: No registered users and 8 guests

fashionable