Hi Brian, On Sat, 2 Jan 2021, Brian Pond wrote:
* No default tables and chains. ... * Atomic rule activation. ... * I love the built-in support for configuration files ... * The ability to "log" and "drop" on the same rule line ... * ... "inet" tables ... don't need to duplicate ... IPv4 and IPv6. * Named Sets ...
Thanks for that. It seems that you and I use iptables very differently, and that what's useful for you doesn't offer much to me. Yes named sets are great, but I use ipsets for the same reason and I have no complaints about it apart from the timeout limitation which I think I've mentioned. Otherwise, my firewall configurations don't usually change at all - from one year to the next - so the dynamic aspects aren't an issue for me.
... a few nftables headaches ...
Only to be expected with new software, but the support is good. I use Debian 10 or something derived from it on a bunch of machines, but the firewalls aren't Debian, nor anything remotely like it. There are sets of (dynamic) iptables/ipsets rules on the individual (mostly Debian-like) machines for specific purposes, like blocking SMTP and HTTP attacks from China, and at the moment those rules do everything I need with little effort from me now the scripting is all put to bed. The main thing which exercises me is finding new ways to catch attacks automatically; actually blocking them once identified is routine.
Hope this email was helpful!
It was, very much so. One of the things at the back of my mind was that by being lazy I might be making some things harder for myself than necessary, but you've reassured me a little on that score. :) Thanks again Brian. -- 73, Ged.
