fsebugoutzone.org:9999

       Post AT92ZSaszk9lfsJsTw by mejofi@ngmx.com
 (DIR) More posts by mejofi@ngmx.com
 (DIR) Post #AT8usXT2IhUkeqEaXY by mejofi@ngmx.com
       2023-02-28T15:39:47Z
       
       0 likes, 1 repeats
       
       I&#39;m curious; what do those of you who run Linux servers exposed to the internet, whether here on the Fediverse or elsewhere, use as their firewall tooling?Are you still using iptables, or have you moved to nftables? Have you written your own rules, or do you use a frontend, such as &#39;ufw&#39;? Or do you depend on your upstream, such as your cloud provider, to implement access control for you?Feel free to boost far and wide 🙂
       
 (DIR) Post #AT8uyEr0PxPmfPADPU by kravietz@agora.echelon.pl
       2023-02-28T15:49:25.944309Z
       
       0 likes, 0 repeats
       
       @mejofi I run nftables on all servers, managed by an Ansible role. Except for servers which run FreeBSD, where I use ipfw ;)
       
 (DIR) Post #AT8yILMiDZF0W2GxrU by mejofi@ngmx.com
       2023-02-28T15:53:41Z
       
       1 likes, 0 repeats
       
       @kravietz I knew someone would be along to tout the superiority of ipfw/pf 😏
       
 (DIR) Post #AT8z1qE4KFW3G8vOXg by kravietz@agora.echelon.pl
       2023-02-28T16:34:52.963075Z
       
       0 likes, 0 repeats
       
       @mejofi Oh, I’m a Linux guy originally and I praise nftables for their clear syntax and atomic loads. But I also have a few FreeBSD servers, for example because nobody made anything as close to perfection as OPNsense based on Linux.
       
 (DIR) Post #AT92ZSaszk9lfsJsTw by mejofi@ngmx.com
       2023-02-28T17:00:59Z
       
       1 likes, 0 repeats
       
       @kravietz I wrote a Python frontend for iptables over a decade ago that sort of mimics pf syntax, and it&#39;s served us well over the years, but it&#39;s getting a bit long in the tooth, requiring extra workarounds, etc.Hence the revisit of nftables, which will hopefully have matured enough since I last looked at it about five years ago.
       
 (DIR) Post #AT92dxAHH7eJe914F6 by kravietz@agora.echelon.pl
       2023-02-28T17:15:11.436376Z
       
       0 likes, 0 repeats
       
       @mejofiIt absolutely is, I&#39;ve switched all my production to nftables a few years ago already.
       
 (DIR) Post #AT94RgKkE8vLsYBjlY by mejofi@ngmx.com
       2023-02-28T17:19:45Z
       
       0 likes, 0 repeats
       
       @kravietz When I last looked, there were weird back- and forward compatibility issues between the versions available across the Debian and Ubuntu releases we need to support, so it&#39;ll be interesting to see whether that has been resolved.
       
 (DIR) Post #AT94RgqeJWRdTV7DUm by kravietz@agora.echelon.pl
       2023-02-28T17:35:31.310981Z
       
       0 likes, 0 repeats
       
       @mejofi ~5 years ago nftables was going through a very intensive development, while Debian and Ubuntu lagged behind with their shipped versions. This indeed resulted in many incompatibilities but anything installed on bionic/focal is already stable and pretty recent.