After decades of suffering through ipchains/iptables syntax, and seeing how easy fw and ufw made common firewall workflows, it's disappointing that the best Debian's iptables replacement can do is:

nft add rule inet filter input tcp dport 22 accept

When syntax for common workflows is complicated, you increase the chance the admin will make a mistake that exposes them to attackers. See S3 bucket permissions for more examples of this. #infosec #devops

no, first you have to create table 'filter' and then create a chain called 'input' and hook it up in the right place in the packet flow path and only then add the rule...


oops, my bad. you also need to first add a rule to block everything, allow established connections and modify your rule to accept new connections only. then do something about invalid and martian packets. that's before creating chains for fail2ban and logs...

Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.