Hello! First, I want to thank the nftables team for all the work. I moved from iptables to nftables about a year ago. I manage many servers and the way I go is simple and classic: 1) All incoming traffic is dropped per default policy. One exception: Not for connections I opened (ct state established,related accept). 2) Required ports for public services are opened then. But only, if it is required for them to be public (see 3). 3) If those ports in 2) are only required to be used by a predictable group of persons or servers, I use a whitelist which is periodically updated. Simple examples are to only open the remote MariaDB port for a specific static server IPv4 address and allowing SSH only for a specific DynDNS hostname (which can deliver both a IPv4 and IPv6 address). Thats why I made a lightweight Dash script (MIT License) I want to share with you: https://github.com/etkaar/nftables-managing-script The script is aware that subnets in concatenated sets (for the whitelist) are not available yet in Debian 10 Buster (nftables 0.9.0) and will automatically enable it in nftables > 0.9.4. The good thing with nftables is, that the ruleset can be atomically updated - of course, the script is aware of that (I don't know if atomic updates were ever possible in iptables to be honest). I hope it is okay for you if I share that here and especially, that it may be helpful for some people out there :) Maybe it makes the slow transition to nftables easier. --etkaar
