Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Firewall mess

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
questlinq
Posts: 69
Joined: 2017-09-19 08:51

Firewall mess

#1 Post by questlinq »

Hello,

Not so long ago, I was asking about firewall in Debian 10. I'm installing Debian (Buster) minimal for server use only - no GUI.
In documentation I can read - Debian Buster uses the nftables framework by default. So, why it needs to be installed then?

Also, when I install Firewalld to manage nf_tables - it doesn't install the package (nf_tables) as a dependency if nf_tables isn't already installed - yet, outside/inside network gets cut-off.
I'm so confused with this firewall issue that I'm thinking to move away from Debian.

andre@home
Posts: 398
Joined: 2011-10-02 08:00

Re: Firewall mess

#2 Post by andre@home »

Does this help you, an example to make a start?
https://linuxandcaffeine.com/setup-a-si ... -nftables/

Deb-fan
Posts: 1047
Joined: 2012-08-14 12:27
Been thanked: 4 times

Re: Firewall mess

#3 Post by Deb-fan »

Just like anything else gnu/Linux-ish you have plenty of options and no shortage of documentation available online. Sure nftables is covered (or could choose something else, ie: the ufw (uncomplicated firewall) cli option. If someone opts for a bare minimum install then it's their responsibility to set it up and configure it. Clearly comes with the territory, making it work is up to you.
Most powerful FREE tech-support tool on the planet * HERE. *

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Firewall mess

#4 Post by Head_on_a_Stick »

questlinq wrote:In documentation I can read - Debian Buster uses the nftables framework by default. So, why it needs to be installed then?
Because the stock setup uses iptables configuration and an nftables backend. The nftables package is required if you want to use the native nftables configuration.
deadbang

questlinq
Posts: 69
Joined: 2017-09-19 08:51

Re: Firewall mess

#5 Post by questlinq »

Because the stock setup uses iptables configuration and an nftables backend. The nftables package is required if you want to use the native nftables configuration.
1. Do I need to issue following commands before installing nftables?

# update-alternatives --set iptables /usr/sbin/iptables-nft
# update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
# update-alternatives --set arptables /usr/sbin/arptables-nft
# update-alternatives --set ebtables /usr/sbin/ebtables-nft

2. I install nftables?

3. Do I delete any files/rules of stock firewall?

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Firewall mess

#6 Post by Head_on_a_Stick »

questlinq wrote:1. Do I need to issue following commands before installing nftables?

# update-alternatives --set iptables /usr/sbin/iptables-nft
# update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
# update-alternatives --set arptables /usr/sbin/arptables-nft
# update-alternatives --set ebtables /usr/sbin/ebtables-nft
Don't mess around with the --set option, use this instead:

Code: Select all

# update-alternatives --config iptables
And the same for the rest. There is also galternatives if you prefer GUIs.
questlinq wrote:2. I install nftables?
No, you only need that if you want to use nftable's native syntax instead of Debian's abstraction. I think that would be a better idea but some people will want to stick with their old configurations.
questlinq wrote:3. Do I delete any files/rules of stock firewall?
Not if you want to still use them.
deadbang

hkoster1
Posts: 1264
Joined: 2006-12-18 10:10

Re: Firewall mess

#7 Post by hkoster1 »

A confusing firewall mess indeed, caused by the inaccurate claim that Debian Buster is using nftables
by default. It isn't, witness the fact that the nftables package isn't even installed by default.

There may be good reasons for having this "halfway house" construction of an nftables backend to iptables,
but it simply isn't nftables (native) by default.
Real Debian users don't do chat...

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Firewall mess

#8 Post by Head_on_a_Stick »

hkoster1 wrote:the inaccurate claim that Debian Buster is using nftables
by default. It isn't
Erm, so the Release Notes are lying?

https://www.debian.org/releases/stable/ ... l#nftables
deadbang

hkoster1
Posts: 1264
Joined: 2006-12-18 10:10

Re: Firewall mess

#9 Post by hkoster1 »

Not lying, erm, but inaccurate and confusing. :wink:
Real Debian users don't do chat...

CwF
Global Moderator
Global Moderator
Posts: 2636
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: Firewall mess

#10 Post by CwF »

hkoster1 wrote:"halfway house"
Exactly right.
Not everything in buster works without iptables.

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: Firewall mess

#11 Post by p.H »

Head_on_a_Stick wrote:so the Release Notes are lying?
hkoster1 wrote:Not lying, erm, but inaccurate and confusing
Maybe confusing, but totally accurate. The important word is "framework".

questlinq
Posts: 69
Joined: 2017-09-19 08:51

Re: Firewall mess

#12 Post by questlinq »

All I can see is that iptables are installed by default and not nftables.

What's strange to me ..

1. I remove iptables.

2, I install nftables instead of iptables.

3. I install firewalld to manage nftables - why iptables get installed back as dependancy of firewalld, when firewalld can manage nftables on its own?

andre@home
Posts: 398
Joined: 2011-10-02 08:00

Re: Firewall mess

#13 Post by andre@home »

https://wiki.debian.org/nftables
This the default.
Should I build a firewall using a nftables?
Yes. Building new firewalls on top of iptables is discouraged.

Should I replace an iptables firewall with a nftables one?
Yes, nftables is the replacement for iptables. There are some tools in place to ease in this task.

Please read: https://wiki.nftables.org/wiki-nftables ... o_nftables

Why a new framework?
The previous framework (iptables) has several problems hard to address, regarding scalability, performance, code maintenance, etc..

What are the major differences?
In iptables there are several tables (filter, nat) and chains (FORWARD, INPUT...) by default. In nftables, there are no default tables/chains.

Also, in iptables you only have one target per rule (-j ACCEPT, -j LOG ...). In nftables, you can perform several actions in one single rule.
nftables includes built-in data sets capabilities. In iptables this is not possible, and there is a separated tool: ?ipset.
In the iptables framework there are tools per family: iptables, ip6tables, arptables, ebtables. Now, nftables allows you to manage all families in one single CLI tool.
This new framework features a new linux kernel subsystem, known as nf_tables. The new engine mechanism is inspired by BPF-like systems, with a set of basic expressions, which can be combined to build complex filtering rules.

Should I mix nftables and iptables/ebtables/arptables rulesets?
No, unless you know what you are doing.

questlinq
Posts: 69
Joined: 2017-09-19 08:51

Re: Firewall mess

#14 Post by questlinq »

@andre@home

Thank you for your detailed explanation. But, this still doesn't give any answer to my 1, 2, 3 points that were presented earlier.

andre@home
Posts: 398
Joined: 2011-10-02 08:00

Re: Firewall mess

#15 Post by andre@home »

We cannot check how you "made the mess" or "it happened to you".... so it is virtually impossible to form a good opinion.
Normally the complete removal and reinstall of hte right package should do the job, but if something damaged irreversibly, you may have a problem.
Do you have a spare disk to check it with a clean install?
Old SATA disks are so cheap or you can get one from someone for free, 100-300GB is more than enough for this work.
Sometimes I have that too, you think you did it the right ways but at the end you find out that this was not completely true, forgot something or....
My experience is that I learn in this way faster and can check whether the problem may be reproducible, saves often a lot of time and frustration..
Give it a thought.
Or you may have luck that a very experienced person may know the solution ....

Post Reply