Admitting that I have have a non-simple firewall setup
When I talked about why I'm interested in nftables I mentioned in passing that I'd looked at FireHOL out of dissatisfaction with my current firewall stuff. In comments James mentioned settling on Shorewall and that plus a Twitter conversation got me to take a look at it too. My gut level reaction to Shorewall made me sit back and think about the whole situation with my firewall rules, and the result is that I've come to the simple and probably obvious conclusion that I don't have a simple firewall setup.
My view is that firewall management systems like Shorewall are a great fit if your problem is that you are trying to materialize a simple firewall setup in the 'low level assembly' of iptables or nftables rules, and the resulting rule complexity is getting really annoying. You know what you want to do, it's simple to express it at a high level, and it's only the low level nature of iptables that makes it a pain. FireHOL, Shorewall, and other systems then let you more or less directly express your simple desires and they manage the underlying iptables mess.
I don't have that situation. My high level desires are relatively complicated and entangled (especially once you start considering policy based routing as well as pure firewall rules). It is kind of annoying to express these in iptables rules, but in a modern environment with ipsets and a better understanding of how to use chains, it's actually not necessarily as painful as it looks to me today; clever use of nftables may make it even easier, and redoing things from the ground up is likely to help in general.
Since I'm starting with a somewhat complex situation, high level tools like FireHOL and Shorewall can't magically make my life simple the way I'd initially (and irrationally) hoped when I started looking into them. Maybe they can reduce the complexity a bit by providing more high level ways of expressing what I want, and perhaps that would be a win if I was starting from total scratch. But as it is, moving to something like Shorewall would require me to learn how to express my complexity in Shorewall instead of in the iptables rules that I already have.
On the one hand, in hindsight this feels like an obvious observation. On the other hand it's a useful clarifying one for me, because it means that I should stop looking for a magic solution that doesn't actually exist. Instead I should just get along with either reforming my iptables rules and adding IPv6 filtering or moving to nftables (with IPv6 filtering).
(Looking for magic solutions is always tempting if I think that one might exist because magic solutions mean less work. Well, if they exist. If they don't, it's easy to spend a bunch of time trying to find them.)
Comments on this page:Written on 06 November 2016.