Hi David and others,

I consider not having nftable enabled by default in bookworm a bug, let me 
explain why...


>> It seems the bookworm release comes with NO firewall solution enabled !
>> Iptables is no longer installed by default 
>> The nft service is NOT enabled by default.

> It seems like you missed reading the Release Notes:
> 
>   §2.2.6 Network filtering based on nftables framework by default

Ok, I was "talking" about bookworm, these are the release notes for Buster, not 
even Bullseye. I was not interested in nft at that time and probably glanced 
over it. 
I can understand nft not being enabled by default in Buster, we still had a 
fully functional iptables at that point, I guess most of us still used it at 
that time.

> and the reference there to https://wiki.debian.org/nftables which has its § 
> "nftables in Debian the easy way".
This still talks about installing nftables, that is also very old.

But yes, I must have missed it because I never enabled the nftables "service".

What I am talking about now is that iptables is gone (by default). There is 
also a default nftables.conf file, but ... it is almost useless and even 
misleading because it never gets used.
And unless you make an obvious error and NOT expect your service(s) to work why 
would you be surprised when the (non existing) firewall enables the services to 
work as they should?

In all the 20+ years I have been writing firewalls I have always written them 
by starting from a closed firewall to open just the right services/ports. I 
would never test if something worked for which I never opened the corresponding 
port, why would I? I would test if something worked for which I had supposedly 
opened the correct network port.
Also in those days with ipchains and iptables there were scripts and if there 
was an error I would see it when testing the script. 

If I test the /etc/nftables.conf file as a script it will even work flawlessly 
with no errors. I can even use the nft list ruleset command afterwards to see I 
have a working firewall.
Unfortunately that works only until the next reboot, but why would I think so?

Why, now that we are at bookworm, is the nftables service not enabled by 
default? With a default ruleset that pretty much leaves it all open but is a 
starting point.
If we do not want that, then at least the default config should contain a 
warning about first enabling the service or scripting something to have it 
working (after a reboot).

I think this is the first time I have come across something in Debian that 
after being installed by default does nothing, even when provided with a valid 
config file at the proper location.
I consider that a bug.

Here is something similar.
Consider opening your door with a key. Every time you open the door with the 
key it opens. All is well, you bought the cylinder and key for the lock at a 
very good locksmith. You told him you had been installing cylinders In doors 
for years and you were able to insert this cylinder in the door.
Until sometime later you find out the door never locks, it is always open, that 
is why you could always enter.
It turns out you first need to enable the cylinder before it did something 
useful with the key provided.
That was something completely new, you never heard of it before, neither do I 
though. ;-)

Bonno Bloksma

Reply via email to