Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: NFTables IPTables-Replacement Queued For Linux 3.13

  1. #1
    Join Date
    Jan 2007
    Posts
    13,405

    Default NFTables IPTables-Replacement Queued For Linux 3.13

    Phoronix: NFTables IPTables-Replacement Queued For Linux 3.13

    NFTables is a new firewall subsystem / packet filtering engine for the Linux kernel that is poised to replace iptables. NFTables has been in development for several years by the upstream author of Netfilter. This new nftables system is set to be merged now into the Linux 3.13 kernel...

    http://www.phoronix.com/vr.php?view=MTQ5MDU

  2. #2
    Join Date
    Jan 2013
    Posts
    139

    Default

    Wonder how that will affect Fedora FirewallD, has from the little I came to use it in the CLI, seemed much better then the old IPtables deamons.

  3. #3
    Join Date
    Dec 2009
    Posts
    250

    Default No idea what you talk about

    Quote Originally Posted by iniudan View Post
    Wonder how that will affect Fedora FirewallD, has from the little I came to use it in the CLI, seemed much better then the old IPtables deamons.
    Ip tables are kernel modules + user land commands. It doesnt use daemon anywhere. Looks like some sort of OS functionality.

  4. #4
    Join Date
    Jan 2013
    Posts
    139

    Default

    Quote Originally Posted by dimko View Post
    Ip tables are kernel modules + user land commands. It doesnt use daemon anywhere. Looks like some sort of OS functionality.
    Front-end then, sorry for my mistake in terminology.

  5. #5

    Default

    Quote Originally Posted by iniudan View Post
    Front-end then, sorry for my mistake in terminology.
    Yeah. The front-end here abstracts away the kernel implementation details. It doesn't matter to end users whether it is netfilter or nftables. They would at the minimum get the same functionality perhaps with better performance.

  6. #6
    Join Date
    Jul 2008
    Location
    Greece
    Posts
    3,762

    Default

    It's still tables though, right? :-P

  7. #7
    Join Date
    Oct 2013
    Posts
    1

    Question Per-program rules

    Will finally be possible with nftables to block certain programs to send or receive from the net (optionally filtered by the port too)?
    :P

  8. #8
    Join Date
    Dec 2012
    Posts
    404

    Default

    Quote Originally Posted by tesfabpel View Post
    Will finally be possible with nftables to block certain programs to send or receive from the net (optionally filtered by the port too)?
    :P
    It's not listed at 'Main features'. If I remember correctly, firewall developers mentioned that this should be handled in userspace. I.e. some LD_PRELOAD library that catches connect() calls and matches this against a list of allowed/blocked connection characteristics. Which, in my opinion, is a sane thing to do (i.e. let userspace handle userspace).

    However, I don't think this has ever been done since it's rather ineffective. A virus could infect an .so and turn a fully legit executable binary into a virus serving thingy... . Furthermore, when I reinstall Windows on friends/relatives computer I let the Windows firewall handle things. Do you really expect everyone to check each .exe (or bin) weather it's legit or not? That is just wishful thinking. Most Linux defense mechanisms (PAX, Selinux) are geared to not get infected in the first place (or mititage it) so you won't need these kind of 'safety measures'.

    Back on topic: This looks really nice, the kernel side will be a lot smaller now that protocol specific handling will move to userspace.

    I just really hope I won't have to rewrite my rules, I spend ages on the current ones .

  9. #9
    Join Date
    Jul 2012
    Location
    SuperUserLand
    Posts
    526

    Default

    Rexillion, in windows or os x where you have a million services and system components dialing home, yes whitelisting can be problematic and difficult but in linux distros it wouldn't be.


    "However, I don't think this has ever been done since it's rather ineffective. A virus could infect an .so and turn a fully legit executable binary into a virus serving thingy... . Furthermore, when I reinstall Windows on friends/relatives computer I let the Windows firewall handle things. Do you really expect everyone to check each .exe (or bin) weather it's legit or not? That is just wishful thinking. "

    At least you would have a chance, let's say a legit service gets compromised, to see who it was dialing too.

    I maintain that little snitch is one of the best firewalls I've seen and it allows you to define rules like app x can only dial to ip y via port z once

  10. #10
    Join Date
    Feb 2008
    Location
    Linuxland
    Posts
    4,725

    Default

    Quote Originally Posted by tesfabpel View Post
    Will finally be possible with nftables to block certain programs to send or receive from the net (optionally filtered by the port too)?
    :P
    You can already do this the Android way, by running those programs as their own user. The firewall can filter by UID.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •