diff options
Diffstat (limited to 'content/posts/2021-10-20-nftables-sitrep.md')
| -rw-r--r-- | content/posts/2021-10-20-nftables-sitrep.md | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/content/posts/2021-10-20-nftables-sitrep.md b/content/posts/2021-10-20-nftables-sitrep.md new file mode 100644 index 0000000..17b421c --- /dev/null +++ b/content/posts/2021-10-20-nftables-sitrep.md @@ -0,0 +1,36 @@ +--- +slug: nftables-sitrep +title: "Nftables Sitrep" +date: "2021-10-20T01:39:11-04:00" +--- +In April I decided to switch the firewalls for my laptop and a couple of +servers from [`iptables`][iptables] to [`nft` and nftables][nft]. + +After several months of use I can report that the experience has been +positive. + +Pros: +* Simple declarative configuration file. No more hacky shell scripts. +* Atomic (all or nothing) ruleset changes. +* Faster ruleset changes. +* Built-in [JSON][] support. + +Cons: +* Occasionally finicky parser. +* Remapping IP ranges can be more verbose than [iptables][]. + +The detauls are a bit long for a blog post (even for me!), so they are +available as a [separate "Nftables Examples" article][nftables-examples] +instead. + + +[iptables]: https://en.wikipedia.org/wiki/Iptables + "iptables command-line Linux firewall tool" +[nft]: https://en.wikipedia.org/wiki/Nftables + "nft command-line tool and nftables Linux firewall subsystem" +[wireguard]: https://wireguard.com/ + "Wireguard VPN" +[json]: https://json.org/ + "JavaScript Object Notation" +[nftables-examples]: {{< relref "/articles/nftables-examples.md" >}} + "Example nftable laptop and server configs" |