blob: 17b421cc89b0acda5fe9b69c49899febe389c72a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
---
slug: nftables-sitrep
title: "Nftables Sitrep"
date: "2021-10-20T01:39:11-04:00"
---
In April I decided to switch the firewalls for my laptop and a couple of
servers from [`iptables`][iptables] to [`nft` and nftables][nft].
After several months of use I can report that the experience has been
positive.
Pros:
* Simple declarative configuration file. No more hacky shell scripts.
* Atomic (all or nothing) ruleset changes.
* Faster ruleset changes.
* Built-in [JSON][] support.
Cons:
* Occasionally finicky parser.
* Remapping IP ranges can be more verbose than [iptables][].
The detauls are a bit long for a blog post (even for me!), so they are
available as a [separate "Nftables Examples" article][nftables-examples]
instead.
[iptables]: https://en.wikipedia.org/wiki/Iptables
"iptables command-line Linux firewall tool"
[nft]: https://en.wikipedia.org/wiki/Nftables
"nft command-line tool and nftables Linux firewall subsystem"
[wireguard]: https://wireguard.com/
"Wireguard VPN"
[json]: https://json.org/
"JavaScript Object Notation"
[nftables-examples]: {{< relref "/articles/nftables-examples.md" >}}
"Example nftable laptop and server configs"
|