Hi, Matt Darfeuille schrieb am 22.07.2019 14:00:
> On 7/22/2019 12:39 PM, Timo Sigurdsson wrote: >> Hi, >> >> some of you may be aware of the new default firewall backend in Debian 10 >> alias Buster, i.e. Buster defaults to nftables and all of xtables programs >> (iptables, ip6tables, etc.) are merely symlinks to iptables-nft, >> ip6tables-nft, etc. This means you can use the iptables syntax, but will >> actually get nftables rules. As I am planning to upgrade my router machine to >> Debian 10 in the near future, I was wondering whether I should take any >> precautions prior or during the upgrade with regards to shorewall. I use >> shorewall in a dual-stack setup with one WAN interface and several LAN-side >> interfaces and zones. >> > > To air on the side of caution, I would test Shorewall and the desired > configuration using a VM or a chroot when moving away from Iptables and > report back any issues you might encounter. so, I went ahead and migrated the first system (a VPN server with a rather simple shorewall configuration) to Debian Buster - first in a VM and then the actual machine. The transition was quite smooth. I updated the configuration files and regenerated the capabilities files for shorewall and shorewall6 - and I was good to go. While I haven't done extensive testing against my firewall rules yet, everything seems to behave normal. I did intentionally generate traffic that violates one of my rules and it was blocked as expected. I do notice one nice improvement, though. Looking at the generated rules with `nft list ruleset`, the output is actually quite easy to read. At least for me, it's much easier to understand than the iptables syntax. ;) I haven't really encountered any issue caused by shorewall or the new nftables backend yet. But I did find some kind of race condiion that's new. My DHCPv6 client on that machine seems to be started too early so it gives up waiting for a server (router). If I restart it later, it works fine, so I assume there is a race between starting shorewall and the DHCPv6 client (maybe the stoppedrules are still active?). For now, I just added a 10 seconds delay to the start of the DHCPv6 client which works around the issue. I'll have a look at that later again. Anyway that's certainly not an issue the list should be concerned with. On a sidenote: Does anyone know why the default value for TRACK_PROVIDERS in shorewall.conf has changed from No to Yes in Buster (compared to Stretch)? I didn't see anything in the docs or changelos that would explain this change. But then again, I don't have multiple providers so it probably doesn't make any difference in my case. Cheers, Timo _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
