I've recently setup nftables firewalls on the machines of my little home network. I was a little optimistic and thought I could get by with a simple one that only allows ssh and nfs in i.e. two TCP ports and mDNS with its slightly more complex rules.
But then... One machine has a radius server that needs UDP port 1812 open. And another is a print server with CUPS and SMB which apparently need at least TCP ports 631 and 137 open. How could I neatly incorporate these minor tweaks in a single nft script? I was thinking of git branches where I can make changes to the "main" firewall and merge those changes to the slightly tweaked branches. Or possibly also some preprocessor type of thing that generates three versions of the firewall script. Or just generate the whole nft scripts with the small variants. Just wondering what other people are doing with this sort of thing? I also need some way of pushing these firewall scripts and other config stuff over to the machines too. It's not a huge network but manually logging into each machine, overwriting /etc/nftables.conf and restarting nftables.service is a pain. cdist looks interesting and simple, does anyone have experience with it?
