<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0"><channel><title>Firewall - vo.rs</title><link>https://vo.rs/tags/firewall/</link><description>Latest from the Firewall desk at vo.rs.</description><generator>Hugo -- gohugo.io</generator><language>en</language><copyright>This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.</copyright><lastBuildDate>Mon, 08 Apr 2024 08:30:00 +0000</lastBuildDate><atom:link href="https://vo.rs/tags/firewall/" rel="self" type="application/rss+xml"/><item><title>nftables: Firewall Rules Without the iptables Baggage</title><link>https://vo.rs/story/nftables-firewall-rules-without-the-iptables-baggage/</link><description>&lt;p&gt;&lt;code&gt;iptables&lt;/code&gt; has been the default answer to &amp;ldquo;how do I write firewall rules on Linux&amp;rdquo; for so long that its warts feel normal. Four separate binaries for four protocol families (&lt;code&gt;iptables&lt;/code&gt;, &lt;code&gt;ip6tables&lt;/code&gt;, &lt;code&gt;arptables&lt;/code&gt;, &lt;code&gt;ebtables&lt;/code&gt;), each with its own syntax. Rule matching that&amp;rsquo;s a linear scan, so a ruleset with thousands of entries — a fail2ban instance with a long ban list, say — gets measurably slower per packet. No native way to group addresses or ports without either duplicating rules or reaching for the clunky &lt;code&gt;ipset&lt;/code&gt; extension. &lt;code&gt;nftables&lt;/code&gt; replaced all of that in the mainline kernel back in 3.13 (2014), and as of most current distributions it&amp;rsquo;s the default backend even when you type &lt;code&gt;iptables&lt;/code&gt; out of habit — but writing rules in its native syntax rather than through the compatibility shim is where the actual improvements live.&lt;/p&gt;</description><pubDate>Mon, 08 Apr 2024 08:30:00 +0000</pubDate></item><item><title>OPNsense: A Serious Firewall for a Serious Home</title><link>https://vo.rs/story/opnsense-a-serious-firewall-for-a-serious-home/</link><description>&lt;p&gt;The router your ISP gave you is a compromise built to a price point, and it shows the moment you ask it to do anything beyond NAT a single flat network. No VLANs, no real firewall rules beyond &amp;ldquo;allow everything out, block everything in&amp;rdquo;, a web interface that reboots the whole box to change a DNS entry, and firmware that stops receiving updates the day the model falls out of the current catalogue. It works fine for a household that just wants Netflix and email. It falls over the instant you want a guest network that can&amp;rsquo;t see your NAS, a camera VLAN that can&amp;rsquo;t phone home to the internet, or logging that tells you what actually crossed the WAN link last Tuesday.&lt;/p&gt;</description><pubDate>Tue, 07 Nov 2023 09:00:00 +0000</pubDate></item></channel></rss>