I have always had Gufw and iptables installed. I have now installed and enabled nftables. So, does Gufw configure nftables? My requirements are quite simple. I have Gufw configured as "Home", "On" (or, now, a simple check mark), Incoming "Deny", Outgoing "Allow". Easy, peasy, and I have no desire, or need, to create more rules. That said, when I checked the status of my nftables service,
Code: Select all
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
Code: Select all
sudo apt install iptables-nftables-compat
sudo iptables-save > iptables.dump
sudo iptables-restore-translate -f iptables.dump > ruleset.nft
sudo nft -f ruleset.nft
Code: Select all
$ sudo nft list ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
table ip filter {
chain INPUT {
type filter hook input priority filter; policy drop;
counter packets 1 bytes 91 jump ufw-before-logging-input
counter packets 1 bytes 91 jump ufw-before-input
counter packets 0 bytes 0 jump ufw-after-input
counter packets 0 bytes 0 jump ufw-after-logging-input
counter packets 0 bytes 0 jump ufw-reject-input
counter packets 0 bytes 0 jump ufw-track-input
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 0 bytes 0 jump ufw-before-logging-forward
counter packets 0 bytes 0 jump ufw-before-forward
counter packets 0 bytes 0 jump ufw-after-forward
counter packets 0 bytes 0 jump ufw-after-logging-forward
counter packets 0 bytes 0 jump ufw-reject-forward
counter packets 0 bytes 0 jump ufw-track-forward
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
counter packets 2 bytes 143 jump ufw-before-logging-output
counter packets 2 bytes 143 jump ufw-before-output
counter packets 0 bytes 0 jump ufw-after-output
counter packets 0 bytes 0 jump ufw-after-logging-output
counter packets 0 bytes 0 jump ufw-reject-output
counter packets 0 bytes 0 jump ufw-track-output
}
chain ufw-after-forward {
}
chain ufw-after-input {
udp dport 137 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
udp dport 138 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
tcp dport 139 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
tcp dport 445 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
udp dport 67 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
udp dport 68 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
fib daddr type broadcast counter packets 0 bytes 0 jump ufw-skip-to-policy-input
}
chain ufw-after-logging-forward {
limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW BLOCK] "
}
chain ufw-after-logging-input {
limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW BLOCK] "
}
chain ufw-after-logging-output {
}
chain ufw-after-output {
}
chain ufw-before-forward {
ct state established,related counter packets 0 bytes 0 accept
icmp type destination-unreachable counter packets 0 bytes 0 accept
icmp type time-exceeded counter packets 0 bytes 0 accept
icmp type parameter-problem counter packets 0 bytes 0 accept
icmp type echo-request counter packets 0 bytes 0 accept
counter packets 0 bytes 0 jump ufw-user-forward
}
chain ufw-before-input {
iifname "lo" counter packets 0 bytes 0 accept
ct state established,related counter packets 1 bytes 91 accept
ct state invalid counter packets 0 bytes 0 jump ufw-logging-deny
ct state invalid counter packets 0 bytes 0 drop
icmp type destination-unreachable counter packets 0 bytes 0 accept
icmp type time-exceeded counter packets 0 bytes 0 accept
icmp type parameter-problem counter packets 0 bytes 0 accept
icmp type echo-request counter packets 0 bytes 0 accept
udp sport 67 udp dport 68 counter packets 0 bytes 0 accept
counter packets 0 bytes 0 jump ufw-not-local
ip daddr 224.0.0.251 udp dport 5353 counter packets 0 bytes 0 accept
ip daddr 239.255.255.250 udp dport 1900 counter packets 0 bytes 0 accept
counter packets 0 bytes 0 jump ufw-user-input
}
chain ufw-before-logging-forward {
}
chain ufw-before-logging-input {
}
chain ufw-before-logging-output {
}
chain ufw-before-output {
oifname "lo" counter packets 0 bytes 0 accept
ct state established,related counter packets 2 bytes 143 accept
counter packets 0 bytes 0 jump ufw-user-output
}
chain ufw-logging-allow {
limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW ALLOW] "
}
chain ufw-logging-deny {
ct state invalid limit rate 3/minute burst 10 packets counter packets 0 bytes 0 return
limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW BLOCK] "
}
chain ufw-not-local {
fib daddr type local counter packets 0 bytes 0 return
fib daddr type multicast counter packets 0 bytes 0 return
fib daddr type broadcast counter packets 0 bytes 0 return
limit rate 3/minute burst 10 packets counter packets 0 bytes 0 jump ufw-logging-deny
counter packets 0 bytes 0 drop
}
chain ufw-reject-forward {
}
chain ufw-reject-input {
}
chain ufw-reject-output {
}
chain ufw-skip-to-policy-forward {
counter packets 0 bytes 0 drop
}
chain ufw-skip-to-policy-input {
counter packets 0 bytes 0 drop
}
chain ufw-skip-to-policy-output {
counter packets 0 bytes 0 accept
}
chain ufw-track-forward {
}
chain ufw-track-input {
}
chain ufw-track-output {
ip protocol tcp ct state new counter packets 0 bytes 0 accept
ip protocol udp ct state new counter packets 0 bytes 0 accept
}
chain ufw-user-forward {
}
chain ufw-user-input {
}
chain ufw-user-limit {
limit rate 3/minute counter packets 0 bytes 0 log prefix "[UFW LIMIT BLOCK] "
counter packets 0 bytes 0 reject
}
chain ufw-user-limit-accept {
counter packets 0 bytes 0 accept
}
chain ufw-user-logging-forward {
}
chain ufw-user-logging-input {
}
chain ufw-user-logging-output {
}
chain ufw-user-output {
}
}
I apologize for including all this, however...Gufw says the firewall is functioning okay, but is it using the iptables settings or the nftables settings? Did I manage to migrate the old to the new? Thank you for any comments. Slainte!