View previous topic :: View next topic |
Author |
Message |
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3343 Location: Rasi, Finland
|
Posted: Tue Dec 20, 2016 4:52 pm Post subject: Using nftables (instead of iptables) |
|
|
NOTE: the topic title was Looking for a "non-bloated" firewall software, but as the focus is more torwards nftables I decided to change the title.
I'm looking for some kind of nice iptables frontend to easily set up fw-rules. "looking for" as in - seeing if there's any that fit or do I just resort back to using "raw" iptables.
The software should not have any graphical UIs as a requirement, as an alternative remote UI it's fine. I'd avoid any webUIs. I have bad feeling about webUIs. I prefer ssh'ing in and do-what-I-wanna-do-and-big-bada-boom-getouttathere. ncurses would fit in perfectly. And Vuurmuur seems like a good candidate, but I cannot find it from Gentoo portage (haven't searched any overlays yet). So does anybody have experience using it?
Does anyone have any other suggestions?
I'm looking this for my home "all-in-one" server. I'd prefer packages from amd64, meaning as much as possible stable packages.
I might later set up another hardware as a firewall between internet and my lan. But at this point it's only that one PC.
Thanks in advance. _________________ ..: Zucca :..
Gentoo IRC channels reside on Libera.Chat.
--
Quote: | I am NaN! I am a man! |
Last edited by Zucca on Fri Jan 06, 2017 12:21 pm; edited 3 times in total |
|
Back to top |
|
|
dr_wulsen Tux's lil' helper
Joined: 21 Aug 2013 Posts: 146 Location: Austria
|
Posted: Tue Dec 20, 2016 8:08 pm Post subject: |
|
|
Hi Zucca,
I don't run it myself, but a friend of mine who is admin at a mid-sized company (approx. 400 people) recently suggested firehol to me, as it would make firewalling with iptables more simple.
personally, i'm running iptables on my router with openwrt and the luci interface (can recommend it if you later put some other piece of hardware for firewalling), so I didn't try firehol.
But at least there's an ebuild in the official gentoo tree, net-firewall/firehol
Dunno, if it's what you're seeking. It got no GUI, it does not even have ncurses, but should -according to my admin friend- be easy to get started with, which most likely means it's less complex than raw iptables but will have its own syntax.... _________________ There's no stupid questions, only stupid answers. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54236 Location: 56N 3W
|
Posted: Tue Dec 20, 2016 9:18 pm Post subject: |
|
|
Zucca,
Shorewall is a lot less to learn than raw IPtables. There is still a lot of it.
There is also shorewall6 for IPv6 _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3343 Location: Rasi, Finland
|
Posted: Tue Dec 20, 2016 9:21 pm Post subject: |
|
|
Thanks, dr_wulsen!
Firehol really has the concept of "deny all by default" tought well. It sure loks simplier than raw iptables, but rather learning a new (although) simple language, I'd propably learn nftables. I'll look more closely into firehol if I don't find any with some textUI.
EDIT: Thanks to you Neddy, too!
I've heard shorewall before... At some point I thought of using it, but I don't remember why abandoned it. I'll look into that as well. _________________ ..: Zucca :..
Gentoo IRC channels reside on Libera.Chat.
--
Quote: | I am NaN! I am a man! |
|
|
Back to top |
|
|
brendlefly62 Tux's lil' helper
Joined: 19 Dec 2009 Posts: 133
|
|
Back to top |
|
|
Goverp Advocate
Joined: 07 Mar 2007 Posts: 2006
|
Posted: Wed Dec 21, 2016 10:14 am Post subject: |
|
|
also net-firewall/ufw _________________ Greybeard |
|
Back to top |
|
|
NTU Apprentice
Joined: 17 Jul 2015 Posts: 187
|
Posted: Wed Dec 28, 2016 8:58 am Post subject: |
|
|
An ipfire-like interface would be awesome, nice little web portal to login and view usage graphs and such. I dug into the source for ipfire trying to figure out how to go about building it for a different distro, the structure for everything is a complete mess and I just gave up. Probably would be easier to just pipe traffic and fw logs and such into an SQL database and view it that way than trying to tear apart ipfire, haven't spent too much time on the whole thing. |
|
Back to top |
|
|
C5ace Guru
Joined: 23 Dec 2013 Posts: 472 Location: Brisbane, Australia
|
Posted: Wed Dec 28, 2016 11:55 am Post subject: |
|
|
I use a stripped down Bastille Firewall as part of Ispconfig on a Debian server. It's just 3 *.sh files and a configuration file. Very easy to open and close ports by adding and deleting the port numbers in the config file.
-rw-rw-r-- 1 root root 3265 Aug 15 2014 bastille-firewall
-rw-rw-r-- 1 root root 21995 Aug 15 2014 bastille-ipchains
-rw-rw-r-- 1 root root 22578 Aug 15 2014 bastille-netfilter
-rw-rw-r-- 1 root root 17987 Aug 15 2014 bastille_licence.txt
-rw-r--r-- 1 root root 14349 Nov 21 14:15 bastille-firewall.cfg
See app-admin/bastille in portage for the full version. |
|
Back to top |
|
|
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3343 Location: Rasi, Finland
|
Posted: Wed Dec 28, 2016 12:00 pm Post subject: |
|
|
I've now been playing with vuurmuur.
It has even some monitoring features. The wiki isn't very complete. And I have serious troubles to search trac. I've never actually liked trac webUI. The searches include results from trac manual, which is more than annoying.
Anyways. The rules are simple to adjust and the order of rules can be adjusted with + or - easily.
If I don't get vuurmuur to work the way I like, I might go with raw iptables or nftables even. _________________ ..: Zucca :..
Gentoo IRC channels reside on Libera.Chat.
--
Quote: | I am NaN! I am a man! |
Last edited by Zucca on Fri Apr 21, 2017 9:34 am; edited 1 time in total |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Thu Dec 29, 2016 11:18 pm Post subject: |
|
|
I'm already using raw nftables. It's much easier to understand than iptables, probably easier than the config files for some of these wrapper programs even. |
|
Back to top |
|
|
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3343 Location: Rasi, Finland
|
Posted: Sun Jan 01, 2017 11:49 am Post subject: |
|
|
Ant P. wrote: | I'm already using raw nftables. It's much easier to understand than iptables, probably easier than the config files for some of these wrapper programs even. | That's good to know. I'll get myself more acquainted with nftables. I think I had compiled all nftables stuff in kernel already. _________________ ..: Zucca :..
Gentoo IRC channels reside on Libera.Chat.
--
Quote: | I am NaN! I am a man! |
|
|
Back to top |
|
|
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3343 Location: Rasi, Finland
|
Posted: Wed Jan 04, 2017 1:47 pm Post subject: |
|
|
I have had a struggle with vuurmuur and I'm unable to create NAT/MASQ using it. :\ Sad, since I would really have liked a good firewall software with ncurses ui.
My next step is to learn nftables. So far it seems logical. At least to compared to iptables. And it even has its own simple scripting language.
I think I want to compile all nftables stuff into kernel and maybe remove all/some iptables stuff from it. Some features of iptables collide with nftables. _________________ ..: Zucca :..
Gentoo IRC channels reside on Libera.Chat.
--
Quote: | I am NaN! I am a man! |
|
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
Posted: Wed Jan 04, 2017 3:06 pm Post subject: |
|
|
Ant P. wrote: | I'm already using raw nftables. It's much easier to understand than iptables, probably easier than the config files for some of these wrapper programs even. |
I'm looking to learn nftables. Are you aware of a basic firewall example? That was really the most effective way for me to learn iptables. I found a basic firewall that allowed outgoing connections, allowed incoming packets that were part of the outgoing connections, and allowed in filtered ssh connections. Starting from those few basics you can add what you need. I'd like the same for nftables, if anyone is aware of it. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3343 Location: Rasi, Finland
|
|
Back to top |
|
|
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3343 Location: Rasi, Finland
|
Posted: Fri Jan 06, 2017 12:28 pm Post subject: |
|
|
Zucca wrote: | I noticed that if you want to make portable nftables scripts then you'd need to change the shebang to: | ... And I just realised that nft needs a -f -switch to read scripts. And when using env the shell tries to run a program named exactly 'nft -f'.
So I guess it's best to use #!/sbin/nft as a shebang or create a symlink to /usr/bin and use #!/usr/bin/nft. _________________ ..: Zucca :..
Gentoo IRC channels reside on Libera.Chat.
--
Quote: | I am NaN! I am a man! |
|
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Fri Jan 06, 2017 5:26 pm Post subject: |
|
|
Zucca wrote: | ... And I just realised that nft needs a -f -switch to read scripts. And when using env the shell tries to run a program named exactly 'nft -f'. So I guess it's best to use #!/sbin/nft as a shebang or create a symlink to /usr/bin and use #!/usr/bin/nft. |
Zucca ... see: shebang portability and the "the interpretation of the command arguments".
I don't see why you need to make such a script portable, nftables are linux only (so that rules out some percentage of possible hosts) and /sbin will most likely be where you find it, should it be under /usr/local then the user need only edit the script. So, unless you're planning mass deployment I wouldn't worry about hardcoding the path.
best ... khay |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Sun Jan 08, 2017 12:44 am Post subject: |
|
|
depontius wrote: | Ant P. wrote: | I'm already using raw nftables. It's much easier to understand than iptables, probably easier than the config files for some of these wrapper programs even. |
I'm looking to learn nftables. Are you aware of a basic firewall example? That was really the most effective way for me to learn iptables. I found a basic firewall that allowed outgoing connections, allowed incoming packets that were part of the outgoing connections, and allowed in filtered ssh connections. Starting from those few basics you can add what you need. I'd like the same for nftables, if anyone is aware of it. |
I posted my config a while back in this thread. It's mostly hacked together with trial and error since the upstream wiki is a bit obtuse, but it works. Hopefully it's of some use to others. |
|
Back to top |
|
|
|