On all modern linux’s, the iptables command is actually a compatibility layer controlling nftables.
I prefer it over the nft command because it’s much easier to read and use. I only use the nft command when checking for the occasional chain/table that iptables didn’t show me.
I didn’t realise I wanted to read up about Linux firewalls, but apparently I did. Thanks
I’ve wanted to for years. I’ve tried to multiple times. Like I love computers and programming I can get absolutely lost in code for hours. For whatever reason when I start to look at networking my brain switches off and says nope. I can clean enough to hack what I need for the most part, but of I strive for any depth of knowledge on the subject my brain shuts down.
Hoping this article is the ticket.
networking.firewall.enable = true;Tap for spoiler
Yeah I’m familiar with all the tools but - omg - have NixOS modules ever changed my life
What does it do?
Deletes /dev/null obviously
For me it’s clearly not obvious what exactly ‘enabling firewall’ entails, what policy is applied, what rules, etc., etc.
There are sensible defaults but it ultimately depends on what the module is doing and how you configure it.
The beauty is that this, or your own custom modules, become a declarative and reproducible abstraction layer which (if properly written) lets you focus on the what rather than the how.
… You could also write a bunch of scripts, which is what I used to do before I joined the cult.
Nftables rulesets are reproducible and let you focus on what rather than how. I’ve tried nix some time ago, conceptually cool distro, but it requires a lot of time, time that can be used configuring emacs 😝.
No mention of bpfilter unfortunately, would have been helpful to get a rough overview



