image/svg+xml Follow

After decades of suffering through ipchains/iptables syntax, and seeing how easy fw and ufw made common firewall workflows, it's disappointing that the best Debian's iptables replacement can do is:

nft add rule inet filter input tcp dport 22 accept

When syntax for common workflows is complicated, you increase the chance the admin will make a mistake that exposes them to attackers. See S3 bucket permissions for more examples of this.

@kyle
no, first you have to create table 'filter' and then create a chain called 'input' and hook it up in the right place in the packet flow path and only then add the rule...

@kyle
oops, my bad. you also need to first add a rule to block everything, allow established connections and modify your rule to accept new connections only. then do something about invalid and martian packets. that's before creating chains for fail2ban and logs...

Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)