[opensuse] ndtables ?
Darryl Gregorash wrote:
And it seems Steve has done a 4th edition by himself with Addison-Wesley. "Linux Firewalls: Enhancing Security with nftables and Beyond 4th Edition" I did note that book in my meandering. My first question was, "What
On 2019-02-27 07:22 PM, Anton Aylward wrote: [snip] the <bleep> is nftables?" But please, no one hijack the thread on my account -- if I'm really interested, I'll open another one :D
nftables is the latest evolution - we started out with ipchains (1999?), then iptables, now nftables (2014?). c't (German computer magazine) has done a couple of decent articles - in 2015 and quite recently, in january I think.
But I'd be far more satisfied if someone would write a decent GUI interface to at least one of these things.
I think any GUI will also come with a straight jacket of assumptions (for good reason) - if you want out, you have to abandon the GUI. -- Per Jessen, Zürich (8.1°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2019-02-28 2:25 a.m., Per Jessen wrote:
nftables is the latest evolution - we started out with ipchains (1999?), then iptables, now nftables (2014?). c't (German computer magazine) has done a couple of decent articles - in 2015 and quite recently, in january I think.
DO late-model kernels have nftables or are still iptables? As far as I can tell my 4.20 series kernel still has iptables. the 'apropos' command tels me about iptables commands but no nftables The ufw show raw seems to tell me about iptables.
But I'd be far more satisfied if someone would write a decent GUI interface to at least one of these things.
I think any GUI will also come with a straight jacket of assumptions (for good reason) - if you want out, you have to abandon the GUI.
As i observed about the Shorewall generation, when you dump (see above) the tables there is a complexity and 'grouping' that the algorithmic approach imposes, as Per says, a "straight jacket of assumptions", that adds a complexity that initially baffles me. It's not as bad as trying to debug someone else's FORTH code but neither is it something I can grok on the fly. You need to pay attention to the prioritization and 'chains'. Converting the 'chains' and priorities to a mind-map would be a good way of comprehending them. And, conversely, a mind-map like GUI for defining/generating then would also be useful. Hmmm. https://www.mindmeister.com/127522846/iptables https://www.mindmeister.com/956012853/iptables They seem to be about documenting iptables rather than designing a firewall Such a tool might well have to be web based to make the GUI easily programmable; I can see how it could be done in RAILS. Google for that ... hmm lots of interesting stuff, and not all of it purely web. - http://www.fs-security.com/ "Firestarter". Seems as much monitoring as configuration http://www.fs-security.com/docs/events-page.html Potential interest here. - there's a few that integrate into cPanel, but I think that's off on a tangent that is probably not of interest to Lew https://www.configserver.com/cp/csf.html - Jay’s Iptables Firewall (1.0.5 08/2005 Curses/Perl) Curses could be nice with SSH for remote admin. http://firewall-jay.sourceforge.net/ - Easy Firewall Generator for IPTables This is the is a web site generating your IPTables rules http://www.hideaway.net/iptables/ - Easychains Remarkable undocumented, not even screenshots https://sourceforge.net/projects/easychains/ - Guarddog - "Protecting your computer with a cute little dog." (enough make you throw up, isn't it?) http://www.simonzone.com/software/guarddog/ http://www.simonzone.com/software/guarddog/#screenshots Last development update in 2006 for KDE3/qt3 and it looks like Python Dead? -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
nftables is the latest evolution - we started out with ipchains (1999?), then iptables, now nftables (2014?). c't (German computer magazine) has done a couple of decent articles - in 2015 and quite recently, in january I think. DO late-model kernels have nftables or are still iptables? As far as I can tell my 4.20 series kernel still has iptables.
On 2019-02-28 2:25 a.m., Per Jessen wrote: the 'apropos' command tels me about iptables commands but no nftables Both. Iptables is the default at installation time, but nftables is in
On 2019-02-28 10:03 AM, Anton Aylward wrote: the repository. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Darryl Gregorash <raven@accesscomm.ca> [02-28-19 11:19]:
nftables is the latest evolution - we started out with ipchains (1999?), then iptables, now nftables (2014?). c't (German computer magazine) has done a couple of decent articles - in 2015 and quite recently, in january I think. DO late-model kernels have nftables or are still iptables? As far as I can tell my 4.20 series kernel still has iptables.
On 2019-02-28 2:25 a.m., Per Jessen wrote: the 'apropos' command tels me about iptables commands but no nftables Both. Iptables is the default at installation time, but nftables is in
On 2019-02-28 10:03 AM, Anton Aylward wrote: the repository.
unless openSUSE removes nftables and I doubt that, both reside within the kernel https://en.wikipedia.org/wiki/Nftables nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. It has been available since Linux kernel 3.13 released on 19 January 2014. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2019-02-28 12:35 PM, Patrick Shanahan wrote:
* Darryl Gregorash <raven@accesscomm.ca> [02-28-19 11:19]:
nftables is the latest evolution - we started out with ipchains (1999?), then iptables, now nftables (2014?). c't (German computer magazine) has done a couple of decent articles - in 2015 and quite recently, in january I think. DO late-model kernels have nftables or are still iptables? As far as I can tell my 4.20 series kernel still has iptables.
On 2019-02-28 2:25 a.m., Per Jessen wrote: the 'apropos' command tels me about iptables commands but no nftables Both. Iptables is the default at installation time, but nftables is in
On 2019-02-28 10:03 AM, Anton Aylward wrote: the repository. unless openSUSE removes nftables and I doubt that, both reside within the kernel
https://en.wikipedia.org/wiki/Nftables nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. It has been available since Linux kernel 3.13 released on 19 January 2014.
~ # zypper info nftables Information for package nftables: <snip> Summary : Userspace utility to access the nf_tables packet filter Note that nf_tables is the stuff in the kernel, while nftables comprises the utilities to the filter. There's also a package, iptables-nft, whose utilities behave like iptables on the CLI, but which edit the rules of the nft packet filter. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Anton Aylward -
Darryl Gregorash -
Patrick Shanahan -
Per Jessen