default firewall utility changes for Debian 11 bullseye

classic Classic list List threaded Threaded
40 messages Options
12
Reply | Threaded
Open this post in threaded view
|

default firewall utility changes for Debian 11 bullseye

Arturo Borrero Gonzalez-3
Hi there,

as you may know, Debian 10 buster includes the iptables-nft utility by default,
which is an iptables flavor that uses the nf_tables kernel subsystem.
Is intended to help people migrate from iptables to nftables.

For the next release cycle I propose we move this default event further.
As of this email, iptables [0] is Priority: important and nftables [1] is
Priority: optional in both buster and bullseye. The important value means the
package gets installed by default in every Debian install.

Also, I believe the days of using a low level tool for directly configuring the
firewall may be gone, at least for desktop use cases. It seems the industry more
or less agreed on using firewalld [2] as a wrapper for the system firewall.
There are plenty of system services that integrate with firewalld anyway [3].
By the way, firewalld is using (or should be using) nftables by default at this
point.

This email contains 2 changes/proposals for Debian 11 bullseye:

1) switch priority values for iptables/nftables, i.e, make nftables Priority:
important and iptables Priority: optional

2) introduce firewalld as the default firewalling wrapper in Debian, at least in
desktop related tasksel tasks.

For changes in 2) I'm looking forward to have consensus, and will need others to
do changes themselves.
I can do changes in 1) myself, and will probably do very soon.

regards

[0] https://tracker.debian.org/pkg/iptables
[1] https://tracker.debian.org/pkg/nftables
[2] https://tracker.debian.org/pkg/firewalld
[3] disclaimer: I don't use firewalld myself

Reply | Threaded
Open this post in threaded view
|

Re: default firewall utility changes for Debian 11 bullseye

Guillem Jover
Hi!

On Tue, 2019-07-16 at 11:07:15 +0200, Arturo Borrero Gonzalez wrote:
> as you may know, Debian 10 buster includes the iptables-nft utility by
> default, which is an iptables flavor that uses the nf_tables kernel
> subsystem. Is intended to help people migrate from iptables to nftables.

Yeah, this was a great way to migrate, thanks!

> This email contains 2 changes/proposals for Debian 11 bullseye:
>
> 1) switch priority values for iptables/nftables, i.e, make nftables Priority:
> important and iptables Priority: optional

Ack. We should really be moving towards nftables, which is so much
better in any possible way. I think doing this early would be good
so that we can find any remaining issues (at least in documentation)
about migrating from iptables to nftables.

As mentioned elsewhere, while you can do the change in the packages
you maintain, you'll still need to file an override change request
against ftp.debian.org so that this gets actually modified. :)

> 2) introduce firewalld as the default firewalling wrapper in Debian,
> at least in desktop related tasksel tasks.

I've never used this nor do use a traditional desktop, so have no
opinion on it, and I'm not sure I care deeply TBH. :)

Thanks,
Guillem

Reply | Threaded
Open this post in threaded view
|

Re: default firewall utility changes for Debian 11 bullseye

Raphael Hertzog-3
In reply to this post by Arturo Borrero Gonzalez-3
Hi,

I'm replying to your questions but I have also other questions related to
this fresh transition...

On Tue, 16 Jul 2019, Arturo Borrero Gonzalez wrote:
> as you may know, Debian 10 buster includes the iptables-nft utility by default,
> which is an iptables flavor that uses the nf_tables kernel subsystem.
> Is intended to help people migrate from iptables to nftables.

It is intended that /proc/net/ip_tables_names and
/proc/net/ip6_tables_names is always empty when you use iptables-nft and
thus nf_tables under the hood?

This is breaking fwbuilder at least: https://github.com/fwbuilder/fwbuilder/issues/88

> Also, I believe the days of using a low level tool for directly configuring the
> firewall may be gone, at least for desktop use cases. It seems the industry more
> or less agreed on using firewalld [2] as a wrapper for the system firewall.

What would/should Debian recommend to configure the firewall on the server
case ?

I was recommending creating firewall rules with fwbuilder up to now (see
https://debian-handbook.info/browse/stable/sect.firewall-packet-filtering.html)
but while it's still maintained, it has not had any recent release
and still hasn't native nftables support
(https://github.com/fwbuilder/fwbuilder/issues/17).

> This email contains 2 changes/proposals for Debian 11 bullseye:
>
> 1) switch priority values for iptables/nftables, i.e, make nftables Priority:
> important and iptables Priority: optional

Ack.

> 2) introduce firewalld as the default firewalling wrapper in Debian, at least in
> desktop related tasksel tasks.

No objection. I think it's high time we have some default firewall
installed in particular with IPv6 getting more widely deployed...

The other desktop firewall that I know is "ufw" but it doesn't seem to
have any momentum behind it.

Cheers,
--
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Reply | Threaded
Open this post in threaded view
|

Re: default firewall utility changes for Debian 11 bullseye

Arturo Borrero Gonzalez-3
On 7/16/19 11:57 AM, Raphael Hertzog wrote:

> Hi,
>
> I'm replying to your questions but I have also other questions related to
> this fresh transition...
>
> On Tue, 16 Jul 2019, Arturo Borrero Gonzalez wrote:
>> as you may know, Debian 10 buster includes the iptables-nft utility by default,
>> which is an iptables flavor that uses the nf_tables kernel subsystem.
>> Is intended to help people migrate from iptables to nftables.
>
> It is intended that /proc/net/ip_tables_names and
> /proc/net/ip6_tables_names is always empty when you use iptables-nft and
> thus nf_tables under the hood?
>
> This is breaking fwbuilder at least: https://github.com/fwbuilder/fwbuilder/issues/88
>

yes, nf_tables does not expose that data into /proc/, it uses a netlink API
which is a better way of interacting with it.

>> Also, I believe the days of using a low level tool for directly configuring the
>> firewall may be gone, at least for desktop use cases. It seems the industry more
>> or less agreed on using firewalld [2] as a wrapper for the system firewall.
>
> What would/should Debian recommend to configure the firewall on the server
> case ?
>
> I was recommending creating firewall rules with fwbuilder up to now (see
> https://debian-handbook.info/browse/stable/sect.firewall-packet-filtering.html)

The reset_iptables() functions you mentioned in the above issue don't even
replace the rules in an atomic fashion, which is not a good way to work with
firewall rules, specially for wrappers.

firewalld can be useful in server usecases as well. Here is libvirt using
firewalld (and nftables):

https://libvirt.org/firewall.html#fw-firewalld-and-virtual-network-driver

This is all to say that firewalld may be way better that fwbuilder as a general
recommendation.

Reply | Threaded
Open this post in threaded view
|

Re: default firewall utility changes for Debian 11 bullseye

Ben Hutchings-3
In reply to this post by Raphael Hertzog-3
On Tue, 2019-07-16 at 11:57 +0200, Raphael Hertzog wrote:
[...]
> The other desktop firewall that I know is "ufw" but it doesn't seem to
> have any momentum behind it.

Also, while its syntax is obviously intended to be simple, it's quite
irregular and the syntax error messages aren't very helpful.

Ben.

--
Ben Hutchings
If God had intended Man to program,
we'd have been born with serial I/O ports.



signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: default firewall utility changes for Debian 11 bullseye

Helmut Grohne
In reply to this post by Arturo Borrero Gonzalez-3
On Tue, Jul 16, 2019 at 11:07:15AM +0200, Arturo Borrero Gonzalez wrote:
> Also, I believe the days of using a low level tool for directly configuring the
> firewall may be gone, at least for desktop use cases. It seems the industry more
> or less agreed on using firewalld [2] as a wrapper for the system firewall.
> There are plenty of system services that integrate with firewalld anyway [3].
> By the way, firewalld is using (or should be using) nftables by default at this
> point.

The current firewalld package in unstable depends on iptables, which
means that it does use nftables under the hood unless one fiddles with
alternatives.

apt-file search /usr/bin/firewalld suggests that at present, two
packages (freedombox and glusterfs-common) integrate with firewalld. For
comparison, 17 packages integrate with ufw.

Disclaimer: This is not an endorsement of ufw. I merely researched the
situation and am summarizing my findings.

Still I am drawing the conclsuion that "the industry more or less agreed
on using firewalld" seems wrong to me.

If you want to make firewalld the desktop default, I encourage you to
look back at how apparmor was made the default. I remember that as a
very good process. You raise the issue at a very good time.

Helmut

Reply | Threaded
Open this post in threaded view
|

Re: default firewall utility changes for Debian 11 bullseye

Michael Biebl-3
Am 17.07.19 um 13:04 schrieb Helmut Grohne:

> On Tue, Jul 16, 2019 at 11:07:15AM +0200, Arturo Borrero Gonzalez wrote:
>> Also, I believe the days of using a low level tool for directly configuring the
>> firewall may be gone, at least for desktop use cases. It seems the industry more
>> or less agreed on using firewalld [2] as a wrapper for the system firewall.
>> There are plenty of system services that integrate with firewalld anyway [3].
>> By the way, firewalld is using (or should be using) nftables by default at this
>> point.
>
> The current firewalld package in unstable depends on iptables, which
> means that it does use nftables under the hood unless one fiddles with
> alternatives.
>
> apt-file search /usr/bin/firewalld suggests that at present, two
> packages (freedombox and glusterfs-common) integrate with firewalld. For
> comparison, 17 packages integrate with ufw.
>
That list appears to be incomplete. You should also search for
org.fedoraproject.FirewallD1, i.e. software using the D-Bus interface of
firewalld:
https://codesearch.debian.net/search?q=org.fedoraproject.FirewallD1




--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: default firewall utility changes for Debian 11 bullseye

Stephan Seitz-5
In reply to this post by Guillem Jover
On Di, Jul 16, 2019 at 11:23:43 +0200, Guillem Jover wrote:
>On Tue, 2019-07-16 at 11:07:15 +0200, Arturo Borrero Gonzalez wrote:
>> as you may know, Debian 10 buster includes the iptables-nft utility by
>> default, which is an iptables flavor that uses the nf_tables kernel
>> subsystem. Is intended to help people migrate from iptables to nftables.
>Yeah, this was a great way to migrate, thanks!

What is the problem with using iptables-nft compared to the new nft
syntax?

According to the documentation nft seems quite more complex.
What would be the replacement for a simple single line like
iptables -I INPUT -j DROP -s <ip>  -p tcp –dport 587 ?

What about other packages like fail2ban? Does it „hurt” if different
programs are using iptables-nft or nft?

Shade and sweet water!

        Stephan

--
| Public Keys: http://fsing.rootsland.net/~stse/keys.html |

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: default firewall utility changes for Debian 11 bullseye

Thomas Pircher-2
Stephan Seitz wrote:
> What would be the replacement for a simple single line like
> iptables -I INPUT -j DROP -s <ip>  -p tcp –dport 587 ?

You can use the iptables-translate. It is not foolproof and does not
always git the best results, but it can give you a good starting point
for your optimisations:

# iptables-translate -A INPUT -s 1.2.3.4  -p tcp --dport 587 -j DROP
nft add rule ip filter INPUT ip saddr 1.2.3.4 tcp dport 587 counter drop

Thomas

Reply | Threaded
Open this post in threaded view
|

Re: default firewall utility changes for Debian 11 bullseye

Michael Biebl-3
In reply to this post by Michael Biebl-3
Am 17.07.19 um 13:16 schrieb Michael Biebl:

> Am 17.07.19 um 13:04 schrieb Helmut Grohne:
>> On Tue, Jul 16, 2019 at 11:07:15AM +0200, Arturo Borrero Gonzalez wrote:
>>> Also, I believe the days of using a low level tool for directly configuring the
>>> firewall may be gone, at least for desktop use cases. It seems the industry more
>>> or less agreed on using firewalld [2] as a wrapper for the system firewall.
>>> There are plenty of system services that integrate with firewalld anyway [3].
>>> By the way, firewalld is using (or should be using) nftables by default at this
>>> point.
>>
>> The current firewalld package in unstable depends on iptables, which
>> means that it does use nftables under the hood unless one fiddles with
>> alternatives.
>>
>> apt-file search /usr/bin/firewalld suggests that at present, two
>> packages (freedombox and glusterfs-common) integrate with firewalld. For
>> comparison, 17 packages integrate with ufw.
>>
>
> That list appears to be incomplete. You should also search for
> org.fedoraproject.FirewallD1, i.e. software using the D-Bus interface of
> firewalld:
> https://codesearch.debian.net/search?q=org.fedoraproject.FirewallD1
Also forgot to mention: I assume what you meant with "integrate with
ufw" is packages shipping a service description in
/etc/ufw/applications.d/, say

samba: /etc/ufw/applications.d/samba

firewalld ships a lot of such service descriptions itself. If you take
the above example of samba:

firewalld: /usr/lib/firewalld/services/samba-client.xml
firewalld: /usr/lib/firewalld/services/samba-dc.xml
firewalld: /usr/lib/firewalld/services/samba.xml

$ apt-file list firewalld | grep /usr/lib/firewalld/services/ | wc -l
168

--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: default firewall utility changes for Debian 11 bullseye

Stephan Seitz-5
In reply to this post by Thomas Pircher-2
On Mi, Jul 17, 2019 at 12:32:31 +0100, Thomas Pircher wrote:
># iptables-translate -A INPUT -s 1.2.3.4  -p tcp --dport 587 -j DROP
>nft add rule ip filter INPUT ip saddr 1.2.3.4 tcp dport 587 counter drop

Ah, thank you very much!

        Stephan

--
| Public Keys: http://fsing.rootsland.net/~stse/keys.html |

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: default firewall utility changes for Debian 11 bullseye

Chris Lamb -2
In reply to this post by Raphael Hertzog-3
Raphael Hertzog wrote:

> The other desktop firewall that I know is "ufw" but it doesn't seem to
> have any momentum behind it.

It is curious you mention a lack of momentum; in my experience, it is
the most commonly recommended firewall on various support-adjacent
sites around the internet. (Perhaps due to it's Ubuntu/Canonical
associations and authorship.)


Regards,

--
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      [hidden email] 🍥 chris-lamb.co.uk
       `-

Reply | Threaded
Open this post in threaded view
|

Re: default firewall utility changes for Debian 11 bullseye

Paul Wise via nm
In reply to this post by Helmut Grohne
On Wed, Jul 17, 2019 at 7:05 PM Helmut Grohne wrote:

> If you want to make firewalld the desktop default

To me, something like opensnitch seems like a better option for a
desktop firewall once it becomes more mature and enters Debian.

https://github.com/evilsocket/opensnitch/
https://bugs.debian.org/909567

--
bye,
pabs

https://wiki.debian.org/PaulWise

Reply | Threaded
Open this post in threaded view
|

Re: default firewall utility changes for Debian 11 bullseye

Marco d'Itri
On Jul 17, Paul Wise <[hidden email]> wrote:

> To me, something like opensnitch seems like a better option for a
> desktop firewall once it becomes more mature and enters Debian.
This project is a "personal firewall", which is a quite different
thing from what is being discussed here.

--
ciao,
Marco

signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: default firewall utility changes for Debian 11 bullseye

Jamie Strandboge
In reply to this post by Arturo Borrero Gonzalez-3
On Tue, 16 Jul 2019, Arturo Borrero Gonzalez wrote:

> Hi there,
>
> as you may know, Debian 10 buster includes the iptables-nft utility by default,
> which is an iptables flavor that uses the nf_tables kernel subsystem.
> Is intended to help people migrate from iptables to nftables.
>
> For the next release cycle I propose we move this default event further.
> As of this email, iptables [0] is Priority: important and nftables [1] is
> Priority: optional in both buster and bullseye. The important value means the
> package gets installed by default in every Debian install.

As the upstream ufw developer, this makes since to me.

> Also, I believe the days of using a low level tool for directly configuring the
> firewall may be gone, at least for desktop use cases. It seems the industry more
> or less agreed on using firewalld [2] as a wrapper for the system firewall.
> There are plenty of system services that integrate with firewalld anyway [3].
> By the way, firewalld is using (or should be using) nftables by default at this
> point.
>
> This email contains 2 changes/proposals for Debian 11 bullseye:
>
> 1) switch priority values for iptables/nftables, i.e, make nftables Priority:
> important and iptables Priority: optional

Makes sense.

> 2) introduce firewalld as the default firewalling wrapper in Debian, at least in
> desktop related tasksel tasks.

I'm obviously biased, but anecdotally I have had quite a few people say
disparaging things about firewalld, particularly from server admins. I'm not
really in a position for people to sing firewalld's praises to me, so take that
for what it is worth.

IIRC, network-manager has a fair frontend for firewalld that could be nice for
desktop users if Debian wants that tight integration. That said, I can say that
the ufw packaging makes it so it stays out of the way for people who want to
use other firewall applications. I encourage Debian in whatever choice is made
to make sure that the experience degrades gracefully if someone chooses
something other than the default.

--
Email: [hidden email]
IRC:   jdstrand

Reply | Threaded
Open this post in threaded view
|

Re: default firewall utility changes for Debian 11 bullseye

Jamie Strandboge
In reply to this post by Stephan Seitz-5
On Wed, 17 Jul 2019, Stephan Seitz wrote:

> On Di, Jul 16, 2019 at 11:23:43 +0200, Guillem Jover wrote:
> > On Tue, 2019-07-16 at 11:07:15 +0200, Arturo Borrero Gonzalez wrote:
> > > as you may know, Debian 10 buster includes the iptables-nft utility by
> > > default, which is an iptables flavor that uses the nf_tables kernel
> > > subsystem. Is intended to help people migrate from iptables to nftables.
> > Yeah, this was a great way to migrate, thanks!
>
> What is the problem with using iptables-nft compared to the new nft syntax?
>
> According to the documentation nft seems quite more complex.
> What would be the replacement for a simple single line like
> iptables -I INPUT -j DROP -s <ip>  -p tcp –dport 587 ?
>
> What about other packages like fail2ban? Does it „hurt” if different
> programs are using iptables-nft or nft?
>
The thing you want to avoid is mixing nft with iptables-legacy. iptables-nft
and nft should be fine.

--
Email: [hidden email]
IRC:   jdstrand

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: default firewall utility changes for Debian 11 bullseye

Jamie Strandboge
In reply to this post by Raphael Hertzog-3
On Tue, 16 Jul 2019, Raphael Hertzog wrote:

> > 2) introduce firewalld as the default firewalling wrapper in Debian, at least in
> > desktop related tasksel tasks.
>
> No objection. I think it's high time we have some default firewall
> installed in particular with IPv6 getting more widely deployed...
>
> The other desktop firewall that I know is "ufw" but it doesn't seem to
> have any momentum behind it.

Again, I'm biased, but ufw supports IPv6. It's also been on the default server
and desktop install of Ubuntu for 9+ years. ufw functions well for bastion
hosts, less so for routers (though it has some facility there). Perhaps the
perceived 'lack of momentum' has to do with a lack of feature development, but
for the primary bastion host case, I haven't deemed this necessary.

--
Email: [hidden email]
IRC:   jdstrand

Reply | Threaded
Open this post in threaded view
|

Re: default firewall utility changes for Debian 11 bullseye

Jamie Strandboge
In reply to this post by Ben Hutchings-3
On Tue, 16 Jul 2019, Ben Hutchings wrote:

> On Tue, 2019-07-16 at 11:57 +0200, Raphael Hertzog wrote:
> [...]
> > The other desktop firewall that I know is "ufw" but it doesn't seem to
> > have any momentum behind it.
>
> Also, while its syntax is obviously intended to be simple, it's quite
> irregular and the syntax error messages aren't very helpful.

FYI, the simple syntax is meant to be, well, simple and the extended syntax is
supposed to resemble OpenBSD's PF. That may not be everyone's cup of tea of
course... :)

As for syntax error messages, please file bugs in the BTS or upstream. I'd be
happy to take a look.

--
Email: [hidden email]
IRC:   jdstrand

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: default firewall utility changes for Debian 11 bullseye

Jamie Strandboge
In reply to this post by Chris Lamb -2
On Wed, 17 Jul 2019, Chris Lamb wrote:

> Raphael Hertzog wrote:
>
> > The other desktop firewall that I know is "ufw" but it doesn't seem to
> > have any momentum behind it.
>
> It is curious you mention a lack of momentum; in my experience, it is
> the most commonly recommended firewall on various support-adjacent
> sites around the internet. (Perhaps due to it's Ubuntu/Canonical
> associations and authorship.)
>
FYI, I'm not aware of any distributions other than Ubuntu where it is in the
default install, but based on bug reports, I know it is in quite a few
distributions. I've always been pleasantly surprised at how much it is used,
and written about. :)

--
Email: [hidden email]
IRC:   jdstrand

Reply | Threaded
Open this post in threaded view
|

Re: default firewall utility changes for Debian 11 bullseye

Jamie Strandboge
In reply to this post by Jamie Strandboge
On Wed, 17 Jul 2019, Jamie Strandboge wrote:

> On Tue, 16 Jul 2019, Raphael Hertzog wrote:
>
> > > 2) introduce firewalld as the default firewalling wrapper in Debian, at least in
> > > desktop related tasksel tasks.
> >
> > No objection. I think it's high time we have some default firewall
> > installed in particular with IPv6 getting more widely deployed...
> >
> > The other desktop firewall that I know is "ufw" but it doesn't seem to
> > have any momentum behind it.
>
> Again, I'm biased, but ufw supports IPv6. It's also been on the default server
> and desktop install of Ubuntu for 9+ years. ufw functions well for bastion
> hosts, less so for routers (though it has some facility there). Perhaps the
> perceived 'lack of momentum' has to do with a lack of feature development, but
> for the primary bastion host case, I haven't deemed this necessary.

Oh, I forgot to mention. I've never actually considered ufw as a "desktop"
firewall. I've considered it a decent "bastion" firewall with a CLI experience
(desktop or server). The ufw projects lacks a GUI frontend which may be
desirable for a "desktop" firewall (see my previous comment re firewalld and
network-manager; there are various GUIs written for ufw, but not associated
with the project).

--
Email: [hidden email]
IRC:   jdstrand

12