albi always there<p>konec <a href="https://f.cz/tags/IPTables" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IPTables</span></a> je v dohlednu, částecně už i na dosah<br>za poslední rok jsem investoval čas a z předchozích <a href="https://f.cz/tags/UFW" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>UFW</span></a> a mrtvého <a href="https://f.cz/tags/Shorewall" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Shorewall</span></a> přeskočil <a href="https://f.cz/tags/FirewallD" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FirewallD</span></a> rovnou do nahatých <a href="https://f.cz/tags/NFTables" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NFTables</span></a></p><p>- UFW využívá na pozadí iptables automaticky překládané do nftables, což je paskvil, který může vyhovovat závislákům na prehistorických iptables souborech "na které se nešahá", ale progresivnějšímu uživateli dost svazuje ruce<br>- navíc je nutné mít namemorovanou jejich speciální syntaxi a hlavně skladbu argumentů, takže většinou zadám validní příkaz na asi 4. pokus</p><p>- FirewallD si samozřejmě taky vymyslel vlastní příkazovou syntaxi, ale zároveň zapleveluje nftables nepoužívanými chainy, přijít k cizímu stroji a udělat nějakou drobnou úpravu v pravidlech je skoro na nobelovku</p><p>- NFtables jsou za mě nejpřehlednější a nejspolehlivější (největší kontrola), navíc umožňujou mít totální kontrolu nad firewallem a poslat k šípku snahy Dockeru o nadvládu<br>- navíc jsou velmi jednoduché a snadno pochopitelné</p>
eupolicy.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
This Mastodon server is a friendly and respectful discussion space for people working in areas related to EU policy. When you request to create an account, please tell us something about you.
Administered by:
Server stats:
211active users
eupolicy.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.1
#nftables
0 posts · 0 participants · 0 posts today
Thomas Liske<p>Mein Vortrag von den <a href="https://ibh.social/tags/clt2025" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>clt2025</span></a> ist schon als Aufzeichnung verfügbar: <a href="https://media.ccc.de/v/clt25-306-firewalls-mandantenfahig-redundant-deklarativ" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">media.ccc.de/v/clt25-306-firew</span><span class="invisible">alls-mandantenfahig-redundant-deklarativ</span></a></p><p>Vielen Dank an alle die zugeschaut haben/es sich ggf. noch anschauen werden. Ich hoffe es hat euch ein paar neue Einblicke gegeben. Mir hat es wieder sehr viel Spaß gemacht. 🤗 </p><p>Und großen Dank an das Team der <span class="h-card" translate="no"><a href="https://mastodon.social/@clt_news" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>clt_news</span></a></span> und das <span class="h-card" translate="no"><a href="https://chaos.social/@c3voc" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>c3voc</span></a></span> 🙏 </p><p><a href="https://ibh.social/tags/linuxnetworking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>linuxnetworking</span></a> <a href="https://ibh.social/tags/ifstate" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ifstate</span></a> <a href="https://ibh.social/tags/nftables" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nftables</span></a></p>
Jan Wildeboer 😷:krulorange:<p>Currently blocking 18687 IPv4 and 890 IPv6 IP addresses that are trying to brute force their way in to my mailserver. Thanks, <a href="https://social.wildeboer.net/tags/nftables" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nftables</span></a>, thanks, <a href="https://social.wildeboer.net/tags/crowdsec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>crowdsec</span></a> :) (This is on a single core VPS with 2GB of RAM, no measurable performance impact, since quite some years now)</p>
LinuxNews.de<p>Am 2. Februar wurden wir Opfer eines <a href="https://social.anoxinon.de/tags/ddos" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ddos</span></a> Angriffs aus <a href="https://social.anoxinon.de/tags/aws" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>aws</span></a>. <a href="https://social.anoxinon.de/tags/nginx" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nginx</span></a> Rate Limits, <a href="https://social.anoxinon.de/tags/fail2ban" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fail2ban</span></a> und <a href="https://social.anoxinon.de/tags/nftables" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nftables</span></a> hatten das so gut im Griff, dass wir das nicht mal gemerkt haben. Lediglich die Seitenansichten in <a href="https://social.anoxinon.de/tags/matomo" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>matomo</span></a> ließen vermuten, dass es hier einen Angriff gab. </p><p>Derweil andere Seiten: „WiR bRaUcHeN cLoUdFlArE wEgEn DDoS!!!“ </p><p><a href="https://social.anoxinon.de/tags/braverserver" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>braverserver</span></a> <a href="https://social.anoxinon.de/tags/opensourcepower" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>opensourcepower</span></a></p>
Dan Oachs<p>I was finally forced to switch from <a href="https://ipv6.social/tags/iptables" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>iptables</span></a> to <a href="https://ipv6.social/tags/nftables" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nftables</span></a> on a new <a href="https://ipv6.social/tags/linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>linux</span></a> campus firewall setup.</p><p>I really should have made the switch years ago. Nftables is SO MUCH nicer! Having sets and variables has really simplified the configuration a ton.</p><p>I was happy with iptables for a really long time and so familiar with it, that I guess I was afraid of something new, but learning nftables has been fun and a lot easier than I expected for some reason.</p>
Quixoticgeek<p>Slightly thrown by my new firewall rules working first time. No errors, and it didn't lock me out of the remote machine. I usually achieve one of these every time I try something new in <a href="https://social.v.st/tags/NFTables" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NFTables</span></a> ... </p><p>Maybe I'm finally starting to properly understand.</p>
🔗 David Sommerseth<p>I remember I was disappointed when setting up this device about half a year ago, regarding the lacking <a href="https://infosec.exchange/tags/nftables" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nftables</span></a> support But I saw they were working on this, to migrate to it in a coming update.</p><p>Today I logged into the LuCI interface to change the firewalling slightly. Just to check everything was as expected, I did an iptables-save dump. And it came out empty. And the realising it was all properly setup in the nft ruleset dump instead.</p><p>The router had rebooted about a week ago, something I didn't notice at all. Which means it's running a fully up-to-date OS and packages without any interactions at all.</p><p>This is generally just wonderful!</p>
Andy Smith<p>TIL that if you have an nftables rule like</p><p>iif "blah" counter accept</p><p>then that interface "blah" has to already exist or else it's a syntax error. But if you do</p><p>iifname "blah" counter accept</p><p>then it doesn't have to exist already and will be looked up every time.</p><p>Details here: <a href="https://serverfault.com/a/985167" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="">serverfault.com/a/985167</span><span class="invisible"></span></a></p><p><a href="https://social.bitfolk.com/tags/Linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Linux</span></a> <a href="https://social.bitfolk.com/tags/nftables" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nftables</span></a></p>
kravietz 🦇<p><a class="hashtag" href="https://agora.echelon.pl/tag/linux" rel="nofollow noopener" target="_blank">#Linux</a> hint - if you’re using <a class="hashtag" href="https://agora.echelon.pl/tag/nftables" rel="nofollow noopener" target="_blank">#nftables</a> <em>and</em> <a class="hashtag" href="https://agora.echelon.pl/tag/docker" rel="nofollow noopener" target="_blank">#Docker</a> you’ve probably noticed they mess with each other. Docker assumes 100% control over <code>-t nat</code> and drops tons of dynamic rules there, so if you manage it yourself, you’ll overwrite them and everything stops working.</p><p>The most reliable solution I’ve found so far is to make <code>iptables</code> a link to <code>iptables-legacy</code>, which can be done using <code>update-alternatives</code> on Ubuntu: </p><pre><code>update-alternatives --set iptables /usr/sbin/iptables-legacy
</code></pre><p>Docker will continue using <code>iptables</code> for managing its dynamic rules, while your actual firewall can be continued to be managed using <code>nft</code>, and they will both coexist in the kernel, while being in separate “namespaces”. Both will be executed, but they won’t overwrite each other.</p><p>P.S. <a class="hashtag" href="https://agora.echelon.pl/tag/freebsd" rel="nofollow noopener" target="_blank">#FreeBSD</a> with jails does it a bit more elegantly because <code>pf</code> has a feature called anchors - which is essentially a separate rules namespace which can be linked from the main ruleset so that it doesn’t mess with the application-specific ones. Of course this would be also doable with <code>nftables</code> but Docker project doesn’t seem to care.</p>
Thorsten Leemhuis (acct. 1/4)<p><a href="https://fosstodon.org/tags/nftables" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nftables</span></a> 1.1.0 is out: </p><p><a href="https://lore.kernel.org/all/Zpbc2XtUExOCriMP@calendula/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">lore.kernel.org/all/Zpbc2XtUEx</span><span class="invisible">OCriMP@calendula/</span></a></p><p>To quote a few highlights:</p><p>- Broader IPv4-Mapped IPv6 (similar to iptables)</p><p>- Better error reporting when redefining chain</p><p>- Support for variables in map expressions</p><p>- VLAN support […]</p><p>- Restore rule replace command</p><p>- Restore addition of netdevice to flowtable</p><p>- Support for chain multidevice in JSON</p><p>- Byteorder conversion with {ct,meta} statements</p>
GrapheneOS<p>Due to frequent DDoS attacks, we're enforcing stricter limits on the number of connections to our servers. By default, each server enforces a limit of 16 or 32 TCP connections from each IPv4 address and IPv6 /64 block. During persistent attacks, these limits will be adjusted.</p><p><a href="https://grapheneos.social/tags/netfilter" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>netfilter</span></a> <a href="https://grapheneos.social/tags/nftables" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nftables</span></a> <a href="https://grapheneos.social/tags/synproxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>synproxy</span></a> <a href="https://grapheneos.social/tags/ddos" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ddos</span></a></p>
Hans-Cees 🍋🌲🦔🦦🐝🦋🐛🚅🇸🇳🇵🇾🇹🇬🇹🇲<p>any <a href="https://mas.to/tags/nftables" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nftables</span></a> <a href="https://mas.to/tags/linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>linux</span></a> gurus here? I am struggling with some advanced bridge problems on <a href="https://mas.to/tags/proxmox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>proxmox</span></a> <a href="https://mas.to/tags/homelab" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>homelab</span></a> <br>But nobody answers </p><p>the question is back up, hope someone can shed Light </p><p><a href="https://forum.proxmox.com/threads/should-nftable-bridge-filtering-work-here-network-goes-blip-blip-poof.143966/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">forum.proxmox.com/threads/shou</span><span class="invisible">ld-nftable-bridge-filtering-work-here-network-goes-blip-blip-poof.143966/</span></a></p>
Krafter<p>Anyone know how to get samba working on <a href="https://fosstodon.org/tags/postmarketOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>postmarketOS</span></a>?</p><p>I followed the Alpine Wiki guide (<a href="https://wiki.alpinelinux.org/wiki/Setting_up_a_Samba_server" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">wiki.alpinelinux.org/wiki/Sett</span><span class="invisible">ing_up_a_Samba_server</span></a>), and opened some ports (<a href="https://www.cyberciti.biz/faq/what-ports-need-to-be-open-for-samba-to-communicate-with-other-windowslinux-systems/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">cyberciti.biz/faq/what-ports-n</span><span class="invisible">eed-to-be-open-for-samba-to-communicate-with-other-windowslinux-systems/</span></a>) but I still can't connect to it (it just says "timed out" when trying to retrieve the share list).</p><p>Any ideas?<br><a href="https://fosstodon.org/tags/Linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Linux</span></a> <a href="https://fosstodon.org/tags/Samba" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Samba</span></a> <a href="https://fosstodon.org/tags/Networking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Networking</span></a> <a href="https://fosstodon.org/tags/IPTables" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IPTables</span></a> <a href="https://fosstodon.org/tags/NFTables" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NFTables</span></a> <a href="https://fosstodon.org/tags/postmarketOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>postmarketOS</span></a> <a href="https://fosstodon.org/tags/OnePlus6" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OnePlus6</span></a></p>
lanefu<p>Wanted to share a recent project of mine from past few weeks to turn my <a href="https://social.linux.pizza/tags/nanopi" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nanopi</span></a> r5s <a href="https://social.linux.pizza/tags/sbc" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sbc</span></a> into a really potent pure debian Linux router that was sane to manage.</p><p>I was able to successfully switch over this weekend and retire my edgerouter-6p.</p><p>The formula is basically <a href="https://social.linux.pizza/tags/ansible" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ansible</span></a> <a href="https://social.linux.pizza/tags/systemd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>systemd</span></a> stuff <a href="https://social.linux.pizza/tags/netplan" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>netplan</span></a> <a href="https://social.linux.pizza/tags/dnsmasq" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dnsmasq</span></a> <a href="https://social.linux.pizza/tags/frrouting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>frrouting</span></a> and <a href="https://social.linux.pizza/tags/foomuuri" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>foomuuri</span></a> -- the lynchpin solution for sanely doing robust zone-to-zone firewalls using <a href="https://social.linux.pizza/tags/nftables" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nftables</span></a> </p><p>Repo linked below has more details:</p><p><a href="https://github.com/lanefu/clammy-ng" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/lanefu/clammy-ng</span><span class="invisible"></span></a></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload