Firewalls with NFtables

Introducción
Network Packet Filtering Within each operating system with network connectivity, we must take into account the evil cyber wonks, script kiddies, and drive-bys They have nothing better to do with their time but attack the unsuspecting, or create botnets to do it for them
Packet Filters • Validates a packet based mostly on the contents of its IP header
Well known Port Examples • Most systems (regardless of OS) has 65535 ports
Problems with Port Blocking • FTP example
Example Packet Filtering Rules • Packet filter behavior is defined by the use of rules
Stateless Filters: Pros & Cons Advantages
Stateful Filters: Pros & Cons • Advantages
Problems with Xtables • The Xtables mechanism has been in use since the 2.4 kernel • Defining both stateless and stateful firewall rules can be tedious due to the number of rules that need to be written • The order of the rules is important
Enter nftables In 2009, the ntables project was created by Patrick McHardy to address the perceived problems of netfiter code duplication for each protocol and that of the Xtables mechanism slowing down packet handling • In the mean time, the ipaet command was introduced to simplify the creation of efficient look up tables for sets' of addresses
nftables Architecture In order to simplify all of the Xtables commands into a generic syntax with a common API and significantly reduce the amount of duplicated code, nftables borrows the interpreter VM concept from BPF
Basic Approach The sequence of tasks in nftables is to create a table(s), then chain(s), then rule(s) • Each command should include an address family
CLI vs. File • It is possible to enter all of the elements of the tables via the nft CLI - However, some of the options can be tricky to enter from the command line due to the shell's line interpreter