Hi David and others, I consider not having nftable enabled by default in bookworm a bug, let me explain why...
>> It seems the bookworm release comes with NO firewall solution enabled ! >> Iptables is no longer installed by default >> The nft service is NOT enabled by default. > It seems like you missed reading the Release Notes: > > §2.2.6 Network filtering based on nftables framework by default Ok, I was "talking" about bookworm, these are the release notes for Buster, not even Bullseye. I was not interested in nft at that time and probably glanced over it. I can understand nft not being enabled by default in Buster, we still had a fully functional iptables at that point, I guess most of us still used it at that time. > and the reference there to https://wiki.debian.org/nftables which has its § > "nftables in Debian the easy way". This still talks about installing nftables, that is also very old. But yes, I must have missed it because I never enabled the nftables "service". What I am talking about now is that iptables is gone (by default). There is also a default nftables.conf file, but ... it is almost useless and even misleading because it never gets used. And unless you make an obvious error and NOT expect your service(s) to work why would you be surprised when the (non existing) firewall enables the services to work as they should? In all the 20+ years I have been writing firewalls I have always written them by starting from a closed firewall to open just the right services/ports. I would never test if something worked for which I never opened the corresponding port, why would I? I would test if something worked for which I had supposedly opened the correct network port. Also in those days with ipchains and iptables there were scripts and if there was an error I would see it when testing the script. If I test the /etc/nftables.conf file as a script it will even work flawlessly with no errors. I can even use the nft list ruleset command afterwards to see I have a working firewall. Unfortunately that works only until the next reboot, but why would I think so? Why, now that we are at bookworm, is the nftables service not enabled by default? With a default ruleset that pretty much leaves it all open but is a starting point. If we do not want that, then at least the default config should contain a warning about first enabling the service or scripting something to have it working (after a reboot). I think this is the first time I have come across something in Debian that after being installed by default does nothing, even when provided with a valid config file at the proper location. I consider that a bug. Here is something similar. Consider opening your door with a key. Every time you open the door with the key it opens. All is well, you bought the cylinder and key for the lock at a very good locksmith. You told him you had been installing cylinders In doors for years and you were able to insert this cylinder in the door. Until sometime later you find out the door never locks, it is always open, that is why you could always enter. It turns out you first need to enable the cylinder before it did something useful with the key provided. That was something completely new, you never heard of it before, neither do I though. ;-) Bonno Bloksma
