On Tue 25 Apr 2023 at 08:59:23 (+0000), Bonno Bloksma wrote: > > Did I discover a bug in the bookwork release? I think we can argue both for > and against but I am calling it a bug. > > It seems the bookworm release comes with NO firewall solution enabled ! > Iptables is no longer installed by default > The nft service is NOT enabled by default. > > After searching some more I found "Enable and start the nftables service by": > sudo systemctl enable nftables > sudo systemctl start nftables. > Looking at the sudo stuff it must have been written for Ubuntu. And indeed, I > now have a nft service that will by default load the /etc/nftables.conf file > :-) > The start command in itself is not needed, it just starts the firewall right > away. > > I do NOT understand why it is not enabled by default with the default config > as it is. > The firewall in itself is open enough that it does not block stuff, but it > does allow someone to build upon or to replace it with a proper firewall. > > There probably was a discussion about it sometime in the past and this is > what "they" came up with. > Still, I think there should be a better way, have a default (semi) open > firewall and have it enabled by default. > > Now all I need to do is go to my existing Buster installs and enable the > firewall. It seems after I changed the iptables script to a nft config I have > been running my buster machines with a proper nft config that NEVER got > loaded. :-(
It seems like you missed reading the Release Notes: §2.2.6 Network filtering based on nftables framework by default and the reference there to https://wiki.debian.org/nftables which has its § "nftables in Debian the easy way". Cheers, David.
