Wanted to share a recent project of mine from past few weeks to turn my #nanopi r5s #sbc into a really potent pure debian Linux router that was sane to manage.

I was able to successfully switch over this weekend and retire my edgerouter-6p.

The formula is basically #ansible #systemd stuff #netplan #dnsmasq #frrouting and #foomuuri -- the lynchpin solution for sanely doing robust zone-to-zone firewalls using #nftables

Repo linked below has more details:

https://github.com/lanefu/clammy-ng

From Linux Update: Frank Hoffman shows you how nftables simplifies the process of creating and maintaining firewall rules https://www.linux-magazine.com/Issues/2023/270/nftables #firewall #nftables #iptables #FOSS #filter #packets #Linux #netfilter #OpenSource

Question réseau !

J’ai un bouquet d’adresses #IPv6 sur ma machine. J’aimerais utiliser de préférence l’une de mes adresses pour me connecter à internet, mais une autre spécifique lorsque le port de destination est 25 (merci google).

Je soupçonne que #nftables peut m’aider, mais j’ai du mal à trouver de la documentation.

Est-ce que je peux utiliser nftables ? Si oui, comment ?

@jerry
I once had problems because newer iptables on #debian is basically a compatibility layer using #nftables in the background. Flushing all rules with iptables would remove the nftables rules but not the #netfilter rules. I had to use iptables-legacy to flush the #netfilter rules.

@stefano #ArchLinux works well but setup is really not simple. #NFTables or #IPTables are more complicated for me than #PF. Even #IPFW is easier to understand than NFTables or IPTables.
I already managed a small server powered by #FreeBSD: I love to manually install and setup my apps to understand who they work. I learn a lot this way.

@spirillen
Good one. Yes we remember reading once somewhere that #iptables is being replaced with #nftables.

Do we know the timeline?

BTW the notabug repo we shared is definately not official. The entity officially posts to tracker2.postman.i2p, they just share the torrent there. A comment there would be seen, perhaps??

#nftables 1.0.8 is out:
https://lore.kernel.org/all/ZLEr3Eg59HyPUUSR@calendula/

"""
- Support for setting meta and ct mark from other fields in rules […]

- Enhacements for -o/--optimize to deal with NAT statements […]

- Support for stateful statements in anonymous maps, such as counters. […]

- Simplify reset command syntax. […]

- Allow for updating devices on existing netdev chain […]

- JSON support for table and chain comments […]

- JSON support for inner/tunnel matching. […]
"""
#Linux #kernel #LinuxKernel #firewall

@erroddy @nixCraft I don't understand these issues against #systemd. We have to learn many new things in #Linux all the time:
- #ifconfig replaced by ip
- paths in the kernel for various things
- #iptables vs #nftables
- #x11 vs #wayland
- etc.

This trend won't stop i am sure =)

https://itsfoss.com/deprecated-linux-commands/

It's really hard to fathom that Docker doesn't have #nftables support up to this day.

Aussage von ChatGPT von nftables: "Die Fehlermeldung weist auf mehrere Syntaxfehler hin, die in der Datei "/etc/nftables.conf" vorliegen. Die genaue Ursache kann anhand der bereitgestellten Fehlermeldung nicht eindeutig festgestellt werden[...]"
Mhh, nichtmal ChatGPT findet die Fehlermeldung gut.

#nftables #ChatGPT

Need to doport forwarding #iptables #portforwarding #ipforward #nftables

https://askubuntu.com/q/1470017/612

Need to do Port forwarding #iptables #portforwarding #ipforward #nftables

https://askubuntu.com/q/1470017/612

It's always DNS. Always. Except when it's that mediocre nftables setup you did a while ago and forgot all about... Hours of debugging fun guaranteed, all to find out that you should probably have left those forwarding hooks alone. They weren't hurting anyone.

#network #firewall #nftables

Success! I have tunneled my way out of #cgnat with the help of #wireguard running ontop of #openwrt on a #vps
This setup is less prone to breakage than my previous #nftables hacked-together one. And clients get a global #ipv6!

Think I am finally getting the hang of configuring host-based nftables firewall through Ansible with this role.
Can't QUITE understand why I can't just do a group's rules in group_vars/foo.yml and instead have to use this merged-groups thing, but I do have firewall rules composable by group and host which is really all I need…
https://github.com/ipr-cnrs/nftables
#Ansible #nftables

Je crois que #nftables reste le truc le plus mal documenté du monde.

iptables -> 🗑️
#nftables ✅
fail2ban w/nftables ✅

🍾

Ok, went down a slight rabbit hole... You can use #nftables to log #packets to the nflog facility. #tcpdump or #tshark can read from the nflog queue and report info on the packets. Nftables can sample the packets randomly using numgen random mod 1000 < 50 I can sample 5% of packets (or whatever) if the output is easily readable by #Julialang I can turn the network visibility issue into a data analysis issue. What's the best way to read the output? tshark json?

spent a fair bit of time with the firewalld implementation of nftables today. every single time I have to deal with a Linux firewall system I long for the simplicity of ipfw rules/config

why is Linux such a convoluted mess at this in comparison?

#linux #freebsd #nftables #firewall

Gewundert warum das lab vlan keine ips bezieht... komplette vlan config geprüft... nur um festzustellen das ich es in #nftables nicht freigab...