Hi Paul, On Wed, 28 Jul 2021, Paul Kosinski via clamav-users wrote:
In my case, I can't simply upgrade to the latest Debian (or any other distro), as one of the systems is our home firewall and gateway -- with iptables, multi-LAN routing (with local DNS), a bit of bridging, encrypted tunnels to elsewhere, etc. This means we would lose *all* Internet connectivity for who knows how long if I tried an in-place upgrade.
I'd recommend not using any big distro for your perimiter firewall. I use one of the purpose-built stripped-down firewall distributions. The maintenance needed on it is minimal, and it doesn't prevent you from having firewalls on other machines too. To get to *any* of our servers from outside, packets must traverse at least three firewalls.
So the only way to move forward seems to be to rebuild our system on separate hardware. I have started this on hardware I already mainly have (being retired, and thus without corporate budget or staff).
One of the slightly unexpected benefits of using things like the Raspberry Pi is that you can have a few of them kicking around which are surplus to requirements and just fire one up as and when needed. It's really easy to image a micro-SD card, tweak a few settings and plug it in. I'm tempted to say that it's easier than spinning up a virtual machine, although bad experience of the Pi4B's stability is the main reason that we haven't moved a half-dozen VMs to Pi4Bs; we still run a VM server. The other Pis don't seem to have the issues with stability that the 4B has. That's several years of experience using dozens of them running 24/365 for all kinds of tasks including database, file and backup servers, intranet, mail, security including CCTV, and of course desktop use.
Finally, building this new system is made even more difficult by the fact that iptables has recently been replaced by nftables, whose native syntax has been "improved" to be quite different. There is, at least, a legacy iptables interface to it ...
Like you I've been a bit preplexed by nft. My milters write firewall rules on the fly, and at one time I thought I'd need to recode a few chunks to keep up with the Netfilter developments. After spending a while looking into it and chatting on the netfilter mailing list with people much more familiar with nft than I, it seems that while there are some efficiency improvements for writing complex rulesets, if you don't feel the need for them you can just ignore it and carry on with what they're calling 'iptables-legacy' as if nothing's happened. For the foreseeable future, that's what I'll be doing. I can write rules with iptables in my sleep, I frequently modify rulesets 'live' on the servers, but I don't think I could write the simplest rule with nft and get it right first time and I wouldn't dream of doing it live on the box without testing it first.
P.S. The last time I upgraded our firewall, from x86 to x86_64, at least iptables was quite compatible with ipchains, and Linux as a whole was still in the early stages of its exponential growth in complexity.
As I understand it the underlying kernel structures and capabilities are not changed with nftables. Both the 'iptables' and 'nft' binaries operate on the same structures and filtering takes place in the same places. So there's less incompatibility between nft and iptables than there was between iptables and ipchains. See for example: https://www-uxsup.csx.cam.ac.uk/pub/doc/redhat/redhat7.3/rhl-rg-en-7.3/s1-iptables-differences.html HTH -- 73, Ged. _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
