From 2843241ff10addec337a2163e4b85e12807e6ebe Mon Sep 17 00:00:00 2001 From: Paul Duncan Date: Wed, 20 Oct 2021 04:52:30 -0400 Subject: add content/posts/2021-10-20-nftables-sitrep.md and content/articles/nftables-examples.md --- content/posts/2021-10-20-nftables-sitrep.md | 36 +++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 content/posts/2021-10-20-nftables-sitrep.md (limited to 'content/posts') diff --git a/content/posts/2021-10-20-nftables-sitrep.md b/content/posts/2021-10-20-nftables-sitrep.md new file mode 100644 index 0000000..17b421c --- /dev/null +++ b/content/posts/2021-10-20-nftables-sitrep.md @@ -0,0 +1,36 @@ +--- +slug: nftables-sitrep +title: "Nftables Sitrep" +date: "2021-10-20T01:39:11-04:00" +--- +In April I decided to switch the firewalls for my laptop and a couple of +servers from [`iptables`][iptables] to [`nft` and nftables][nft]. + +After several months of use I can report that the experience has been +positive. + +Pros: +* Simple declarative configuration file. No more hacky shell scripts. +* Atomic (all or nothing) ruleset changes. +* Faster ruleset changes. +* Built-in [JSON][] support. + +Cons: +* Occasionally finicky parser. +* Remapping IP ranges can be more verbose than [iptables][]. + +The detauls are a bit long for a blog post (even for me!), so they are +available as a [separate "Nftables Examples" article][nftables-examples] +instead. + + +[iptables]: https://en.wikipedia.org/wiki/Iptables + "iptables command-line Linux firewall tool" +[nft]: https://en.wikipedia.org/wiki/Nftables + "nft command-line tool and nftables Linux firewall subsystem" +[wireguard]: https://wireguard.com/ + "Wireguard VPN" +[json]: https://json.org/ + "JavaScript Object Notation" +[nftables-examples]: {{< relref "/articles/nftables-examples.md" >}} + "Example nftable laptop and server configs" -- cgit v1.2.3