Having found ufw suited my needs I have only dabbled with firewalld / firewall-config / firewall-applet over the years.
Having noticed the recommendation for firewalld on the debian wiki re nftables https://wiki.debian.org/nftables#Use_firewalld I installed it and had a look at the default ruleset with $ sudo nft list ruleset If, as I understand, nftables default policy is accept, "NOTE: If no policy is explicitly selected, the default policy accept will be used." https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains firewalld doesn't seem to "drop all input unless allowed" by default, as ufw's ruleset with only port 22 opened suggests it does. If there is no drop by default, why add "policy accept" for related/established as it does? Doesn't this happen anyway? Isn't this less secure, as it seems? The nftables wiki suggests "policy drop" for input, but the examples are rather restrictive. https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_workstation https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server nmap from another machine confirms only port 22 is open via firewalld (which is the default) but is default acceptance in other respects a security risk? I haven't included rulesets but happy to provide if wanted. Thanks, Gareth
