Hello list,
Today's update of iptables to 1.8.1 failed here because I didn't have
USE=nftables set. After setting that in package.use it was fine. Before I
submit a bug report, though, I'd like to understand one thing:
$ grep nftables $(equery w iptables)
IUSE="conntrack i
On Wednesday, 24 October 2018 12:52:24 BST Neil Bothwick wrote:
> On Wed, 24 Oct 2018 10:29:03 +0100, Peter Humphrey wrote:
> > Today's update of iptables to 1.8.1 failed here because I didn't have
> > USE=nftables set. After setting that in package.use it was fine.
On Wednesday, 24 October 2018 15:30:06 BST Peter Humphrey wrote:
> On Wednesday, 24 October 2018 12:52:24 BST Neil Bothwick wrote:
> > On Wed, 24 Oct 2018 10:29:03 +0100, Peter Humphrey wrote:
> > > Today's update of iptables to 1.8.1 failed here because I didn't have
&
On Wed, 24 Oct 2018 10:29:03 +0100, Peter Humphrey wrote:
> Today's update of iptables to 1.8.1 failed here because I didn't have
> USE=nftables set. After setting that in package.use it was fine. Before
> I submit a bug report, though, I'd like to understand one thi
I have 2 questions about the new nftables in kernel 3.13.
1. Are network namespaces not yet supported in nftables? When I load a set of
rules in another namespace with nftables, it affects the default namespace
instead.
The same thing worked perfectly with iptables/ip6tables.
2. What takes
shawn wilson gmail.com> writes:
> Also see nftables: http://netfilter.org/projects/nftables/
Interesting read.
http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
http://upload.wikimedia.org/wikipedia/commons/d/dd/Netfilter-components.svg
Where is the diagr
On Sat, Mar 3, 2018 at 7:55 PM, Walter Dnes wrote:
> On Wed, Feb 28, 2018 at 04:40:37PM -0700, Grant Taylor wrote
>> On 02/28/2018 02:15 PM, Walter Dnes wrote:
>>>
>>> Is there something besides iptables?
>>
>> nftables
>
> Assuming I just want f
On Mon, Dec 30, 2013 at 1:04 PM, James wrote:
> shawn wilson gmail.com> writes:
>
>
>> Also see nftables: http://netfilter.org/projects/nftables/
>
> Interesting read.
>
> http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
>
> h
Andrew makes a good point that, of course, not all options will be
relevant to a particular image or use case. The script is aimed to check
for "full" compatibility. Having some reported as missing is by no means
a deal breaker.
Re nftables it's a very valid point as well. I t
ns
> a deal breaker.
>
> Re nftables it's a very valid point as well. I too use nftables instead
> of iptables and, in general, anything that dares touch my rules I will
> either disable the option for it to do so or, if that's not possible,
> swiftly eradicate it off my sy
On 03/03/2018 05:55 PM, Walter Dnes wrote:
Assuming I just want filtering, could I emerge nftables and unmerge
iptables and have a functional firewall?
Simplistically, yes.
It's my understanding that iptables and nftables are two completely
different firewalling technologies. So you
On Sunday, 17 May 2020 00:58:54 BST Andrew Udvare wrote:
> On 16/05/2020 13:12, Peter Humphrey wrote:
> > I can't find any of those. Any clues for the uninitiated?
>
> I am running Docker fine on 5.6.12 and I am missing a lot:
--->8
> In regards to NF options, I use
On Wed, Feb 28, 2018 at 04:40:37PM -0700, Grant Taylor wrote
> On 02/28/2018 02:15 PM, Walter Dnes wrote:
> > Is there something besides iptables?
>
> nftables
Assuming I just want filtering, could I emerge nftables and unmerge
iptables and have a functional firewall?
--
On 02/28/2018 02:15 PM, Walter Dnes wrote:
Is there something besides iptables?
nftables
I think BPF may come into context here, but I've mostly ignored it, so
I'm not sure.
It seems to be like systemd/perl/python, continuously expanding its scope.
What do you mean?
I
ecase the "raw" table is just that: raw, unadulterated, unanalyzed
>> > packets. The CPU assumes nothing, it merely tries to match well-known
>> > fields' values.
>> >
>>
>> And because nothing is assumed, you can't prepend a conntrack rul
ch well-known
> > fields' values.
> >
>
> And because nothing is assumed, you can't prepend a conntrack rule. I
> can't think of why you'd ever want those packets (and I should
> probably move at least those 4 masks to raw) but just an FYI - no
> processing
wo apparently different sets of IP filtering
> >options. Do I need the NF set or the older one?
>
> This depends on whether shorewall uses the older iptables stack, or the
> newer nftables one. I don't know much about shorewall, but according to
> a quick
missing
- /dev/zfs: missing
- zfs command: missing
- zpool command: missing
In regards to NF options, I use nftables and I manage the firewall
manually for Docker (I set {"iptables": false} in
/etc/docker/daemon.json). Docker has been extremely slow at adopting
nftables.
You
ic interface.
You can, however, work around this in a rather unusual way via
ip/nftables and DNAT.
You will need to enable IP[v6] forwarding via sysctl (or sysctl.conf):
net.ipv4.ip_forward=1
net.ipv4.conf..route_localnet=1
The latter option is critical as, by default, the kernel will not
uld
> be aggregated into small CIDRs. So the number of blocking rules is
> greatly reduced.
>
> I'm not a deep networking expert. My question is whether I'm better
> off adding iptables reject/drop rules or "reject routes", e.g...
>
If you want to filter co
pull
> in 90% of QT as dependancies. I fondly remember IPCHAINS.
I don't know what you're looking for exactly.
If you want a command line tool for configuring your firewall with an
easier syntax than iptables you could try ufw.
I don't know nftables, yet, but from what I read so
27;d ever want those packets (and I should
probably move at least those 4 masks to raw) but just an FYI - no
processing means no processing.
Also see nftables: http://netfilter.org/projects/nftables/
ether shorewall uses the older iptables stack, or the
newer nftables one. I don't know much about shorewall, but according to
a quick search online it seems to still rely on iptables.
In that case, CONFIG_NETFILTER_XT_MATCH_STATE should be the correct
option to use.
I'm using nftable
t. Does anybody know
> of any common solutions for doing packet matching based on just part
> of a MAC address on Linux? Failing that, some advice about whether
> the system daemon and packet inspection route or the netfilter module
> route is more likely to be stable and maintainable wou
yer 3, what is the best route (pun intended)
to protect some winblows systems? And I need the ability to dynamically
block some gaming sites (kids playing too many hours of video).
Then I read about NFtables... [1]
And there is more. So, being a bit busy what would folks recommend
for pur
hanged. Dansguardian is deprecated?
> If I add protection above layer 3, what is the best route (pun intended)
> to protect some winblows systems? And I need the ability to dynamically
> block some gaming sites (kids playing too many hours of video).
>
> Then I read about NFtab
a custom netfilter module.
> >
> > None of this seems particularly "fun" to sort out. Does anybody know
> > of any common solutions for doing packet matching based on just part
> > of a MAC address on Linux? Failing that, some advice about whether
> > th
* Adam Carter:
> when i enable v6, all my internal hosts become directly routable from
> the Internet via the /56 my ISP assigns me.
Even pretty anemic hardware can handle the demands of an IPv6 firewall,
for example using iptables/nftables. The demands of IPV6-related
processing should ac
to use to draw up some
generic diagrams, a wee bit nicer than dia, would be keen suggestions too.
Tripwire vs AIDE?
Perhaps a iptables protecting the dmz systems and main gateway (single
homed) but a nftables [2] based firewall/gw/router to the internal lan?
Note: This is more of a project than
seems much has changed. Dansguardian is deprecated?
>If I add protection above layer 3, what is the best route (pun
>intended)
>to protect some winblows systems? And I need the ability to dynamically
>block some gaming sites (kids playing too many hours of video).
>
>Then I read abo
cated?
If I add protection above layer 3, what is the best route (pun intended)
to protect some winblows systems? And I need the ability to dynamically
block some gaming sites (kids playing too many hours of video).
Then I read about NFtables... [1]
And there is more. So, being a bit busy
uot;iptables-1.8.1 build failure".
> Seems a dependency is missing in the ebuild.
It's been fixed upstream and will be released in due course. Meanwhile, you
can put 'net-firewall/iptables nftables' in /etc/portage/package.use, or a
file under there if it's a directory.
--
Regards,
Peter.
pendancies?!
> >
> > See the thread right next to yours, "iptables-1.8.1 build failure".
> > Seems a dependency is missing in the ebuild.
>
> It's been fixed upstream and will be released in due course. Meanwhile, you
> can put 'net-firewall/iptables
t's the case.
> You can, however, work around this in a rather unusual way via
> ip/nftables and DNAT.
Thanks, I should have known that was a problem that could be solved
with netfilter. After all, netfilter is apparently turning-complete:
http://sgros.blogspot.com/2011/09/implementing-turing-machine-using.html
--
Grant
n 90%
> of QT as dependancies. I fondly remember IPCHAINS.
Personally I like nftables (the iptables successor) more. Mostly the same, but
in my eyes it's more convenient.
There are plenty frontends, many of them in net-firewall/ in our tree ;)
(I tried to use ufw some years ago, but I
haps there is a gentoo wiki page that at least outlines the manual
processes (a structured approach) as users go down the pathway of
stripping out what their workstation does not need in a kernel?
Perhaps someone has a slick, home-spun, tool that readily identifies
what can be additionally strippe
On 26/11/19 23:56, Ralph Seichter wrote:
> * Adam Carter:
>
>> when i enable v6, all my internal hosts become directly routable from
>> the Internet via the /56 my ISP assigns me.
>
> Even pretty anemic hardware can handle the demands of an IPv6 firewall,
> for exam
solution, thank you for sharing. I had
completely forgotten the fact that filtering can be done based on UID/GID.
For the sake of completeness, here's the equivalent nftables solution
for those, such as myself, who may have migrated (exclusively) to nft:
table inet filter {
chain ou
re proceeding?
Oops, also add...
net-firewall/iptables-1.8.10:0/1.8.3::gentoo [1.8.9:0/1.8.3::gentoo]
USE="(split-usr) -conntrack -netlink -nftables -pcap -static-libs -test%" 627
KiB
--
Roses are red
Roses are blue
Depending on their velocity
Relative to you
ig" to check if changes were needed.
Recompiled 3 different times, minor changes, same result.
reinstalled iptables, nftables, and ran "perl-cleaner reallyall".
Always locks up after rules compiled / starting to initialize iptables.
The firewalls tried :
arno-iptables-firewall,
64 system (a dev board with graphics chip like
96board. I can install gentoo on that with a minimum number of packages.
But let's say all I really want is IPtables (or nftables) and ssh.
Surely the default profile has more than is need. So if everything not
absolutely was stripped out, it
t look very closely. It might be that some of
> the 1 - 1.5 year old issues are closed now.
LikeWhoa's work did not get disseminated widely for quit a while, so
you are not alone in missing persistence with usb and live installs.
I'm not sure he is the first, but, his work here at gent
3.17-r2:0/8::gentoo USE="elogind kill
ncurses nls (unicode) -modern-top (-selinux) (-split-usr*) -static-libs -
systemd -test" ABI_X86="(64) -32 (-x32)" 0 KiB
[ebuild R] sys-apps/shadow-4.14.2:0/4::gentoo USE="acl nls pam xattr -
audit -cracklib (-selinux) -skey (-spl
er a full backup runs tonight.
I did end up removing a small list of packages that were blocking
emerge in one way or another. -- I decided that removing them to
allow emerge to complete on it's own accord was more expedient than
fighting them at the time. I will re-add them as necess
hat removing them to allow emerge
to complete on it's own accord was more expedient than fighting them at
the time. I will re-add them as necessary.
- net-firewall/nftables
- net-fs/ncpfs
- media-gfx/gimp
- dev-python/pycairo
- dev-python/fido2
- net-analyzer/scapy
- app-crypt/yubi
m-%d -d "$(($age - 1)) days ago") $(date
> > +%Y-%m-%d -d "$age days ago")) | read hash date time; time git
> > checkout -b $date $hash; done
> >
> > Basically, this command starts at current; `stable`, and finds the
> > first (most recent) commit
46 matches
Mail list logo