:: Re: [DNG] nftables firewall and fai…
Top Page
Delete this message
Reply to this message
Author: Steve Litt
Date:  
To: dng
Subject: Re: [DNG] nftables firewall and fail2ban replacement.
onefang said on Wed, 12 Jan 2022 23:49:39 +1000

>I've been using shorewall and fail2ban for a while now, but nftables is
>soon replacing iptables, so it's time to consider some options.


I can't tell whether you're addressing the firewall on a single
computer, or the firewall between your LAN and the Internet.

If the former, now that
https://www.tomsguide.com/news/router-attack-netusb-flaw , I'm going to
replace the firewall functions of my Spectrum Cable Modem with an
OpenBSD PF firewall. An excellent documentation set of PF is at
https://www.tomsguide.com/news/router-attack-netusb-flaw , and there's
an excellent sample firewall config at
https://www.openbsd.org/faq/pf/filter.html#example .

Having looked at pfSense, iptables, nftables, IPFire, Openwall, and
OPNsense, I find plain old pf superior for a firewall appliance. If you
need the same machine to be a DHCP server, I'd just install a BSD DHCP
server on the same machine.

If I wanted a DNS server on the firewall machine (I don't) instead of
on one of my LAN machines (which I do), I'd install unbound and nsd on
the BSD machine.

======

If you meant the firewall on one Linux machine, you obviously can't use
the BSD-onlty pf. I've found iptables to be quite useable, and haven't
yet tried nftables. I tried Shorewall and found it to add tremendous
complication to iptables and it seems to outsmart itself when trying to
do something out of the ordinary, so I just resorted to iptables.

I haven't tried fail2ban, and would like to hear more about it.


SteveT

Steve Litt
Spring 2021 featured book: Troubleshooting Techniques of the Successful
Technologist http://www.troubleshooters.com/techniques