Date: 2025-02-25

Linux firewall - nftables

After all, not that complicated how it felt at the first touch. The
thing that make it feel complicated was mostly, because the whole
internet is full of complex and nonsense examples, several "frontends"
are recommended everywhere, which make it even more complex and
cumbersome. I have no idea how people come up with their complicated
config files, but usually when I see how big can be something simple
like text editor config, I can imagine ;/ So as usually, the broken
part were just people ;/

At the end, I finished with very similar nftables setup as I had
previously with pf - Packet Filter on OpenBSD.

=> /legacy/nftables.nft

I have also /etc/nftables.d/blocklist which includes around 100 000
blocked IP addresses and IP ranges.

This setup practically blocks all bots which previously attacked my
port 25. Obviously the most important part is this blocklist.
Disabling ports was not necessary, as I forward just needed ports from
my router. But one line extra does not hurt and it looks like I know
what I am doing ;/

Now when I don't receive or send en email, any IP address in
/var/log/mail is junk. So I extract all IP addresses from there, add
them into blocklist, erase mail log file and add those new collected
IP addresses into blocklist set in nftables. As a true Perl monk
the script is obviously in Perl ;/

=> /legacy/bip.pl

I started with a bit different setup, where blocked IP addresses were
not in "set". That setup added like 30ms latency to every connection.

In the end, it was not that hard or complicated. I would say nftables
are okayish and usable. Sometimes old habbits, prevent us from moving.
After years we get used to something and then deny a lot of other
things around. Then after two decades we are outdated and out of
reality. That's what often kids and youngsters see on old people
clearly. Our own past story prevents us from living in the present.

Don't follow, just get inspired.