FOSSONLY
commented
5 years ago I would also suggest the same for NFtables, they will replace the outdated IPtables. Btw.: In Debian-Buster NFtables will be the new Standard.
Open smitsohu opened 5 years ago
FOSSONLY
commented
5 years ago I would also suggest the same for NFtables, they will replace the outdated IPtables. Btw.: In Debian-Buster NFtables will be the new Standard.
netblue30
commented
5 years ago netfilter6
Let's go for it. Anybody has some experience with IPv6? Adding it to the code and making it default should be pretty easy. The problem is I have no idea how to set an IPv6 filter.
NFtables
I'll start working on it and pass a patch file to @reinerh to add it to Debian version once it is released, or even earlier, depending how it goes.
NF
SkewedZeppelin
commented
5 years ago https://gist.github.com/jirutka/3742890 has a lot of good commented (iptables) examples for both IPv4 and IPv6, licensed MIT.
Currrently we have a default ipv4 firewall for new network namespaces (
netfilter), but no companion for ipv6. Probably it would be good if thenetfilter6option had a default and was added to all profiles that havenetfilteralready.Once in place, there could be also a toggle in firefail.config to optionally enforce these firewalls for all new network namespaces. One could even contemplate whether to turn this on by default.