Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

Linux Foundation

Firewalls with NFtables

Linux Foundation via YouTube

Overview

Explore the fundamentals of network security with this comprehensive tutorial on firewalls using NFtables. Dive into packet filtering techniques, stateless and stateful filters, and the evolution from Xtables to NFtables. Learn about network packet validation, port blocking challenges, and the importance of rule definition in firewall configuration. Discover the advantages and limitations of different filtering approaches, and understand the architecture and basic approach of NFtables. Gain practical insights into creating tables, chains, and rules using both command-line interface and file-based methods. Equip yourself with essential knowledge to protect systems from cyber threats and effectively manage network traffic.

Syllabus

Introducción
Network Packet Filtering Within each operating system with network connectivity, we must take into account the evil cyber wonks, script kiddies, and drive-bys They have nothing better to do with their time but attack the unsuspecting, or create botnets to do it for them
Packet Filters • Validates a packet based mostly on the contents of its IP header
Well known Port Examples • Most systems (regardless of OS) has 65535 ports
Problems with Port Blocking • FTP example
Example Packet Filtering Rules • Packet filter behavior is defined by the use of rules
Stateless Filters: Pros & Cons Advantages
Stateful Filters: Pros & Cons • Advantages
Problems with Xtables • The Xtables mechanism has been in use since the 2.4 kernel • Defining both stateless and stateful firewall rules can be tedious due to the number of rules that need to be written • The order of the rules is important
Enter nftables In 2009, the ntables project was created by Patrick McHardy to address the perceived problems of netfiter code duplication for each protocol and that of the Xtables mechanism slowing down packet handling • In the mean time, the ipaet command was introduced to simplify the creation of efficient look up tables for sets' of addresses
nftables Architecture In order to simplify all of the Xtables commands into a generic syntax with a common API and significantly reduce the amount of duplicated code, nftables borrows the interpreter VM concept from BPF
Basic Approach The sequence of tasks in nftables is to create a table(s), then chain(s), then rule(s) • Each command should include an address family
CLI vs. File • It is possible to enter all of the elements of the tables via the nft CLI - However, some of the options can be tricky to enter from the command line due to the shell's line interpreter

Taught by

Linux Foundation

Reviews

Start your review of Firewalls with NFtables

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.