Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I've heard this about every linux firewall, can you give some good examples of what either iptables or nftables can't do that pf can?


I don't have good examples of what can or cannot be done.

But I find pf much easier to understand. I can write pf rules myself and understand, clearly, what my firewall is doing. I haven't found iptables near as approachable, and depend on firewall configuration tools to generate the rules and chains for me.


I'd definitely agree that iptables is not nearly as approachable as i've seen pf be. I've yet to see something that can't be done with it if you take the time (this is discounting performance, i know that it can get a little hairy after a few hundred rules if not setup correctly).


Many people use something like denyhosts or fail2ban to help with brute force attacks. PF has built-in support for building rules with options which will throw potential attackers into a 'penalty box' based on certain factors like connection rate.


You can use iptables for that:

  $ sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

  $ sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
Copied from http://kvz.io/blog/2007/07/28/block-brute-force-attacks-with... but I agree that pf ist just much more sane config wise.


Since nftables is supposed to be backwards compatible, I'd guess it can do this too. I wonder what it'll look like for that. A lot of the other syntax looks nicer, i suspect that this will be better too.


That one I haven't seen before, I wonder if the new nftables might be able to implement any of that. Based on the state machine specs probably not, since I don't think there's any storage or any way for it to generate new rules on itself based on what I've read.


I've found PF easier to get started with and more manageable due to the config syntax. Now onto something that PF can do but iptables can't: address family translation. There is a module somewhere on github that does NAT64, but is somewhat limited compared to PF. Now if you want to go the other way around, i.e. NAT46, it is currently not possible on Linux in kernelland.


its not about what can be done, its about the learning curve and conciseness of the rules. pf has nice user space tools and easy, powerful syntax.

netfilter's iptables syntax well.. over the last, what, 10 years? we all got used to it. seems like nftables is going to required another 5 to become more or less known among people...


Anchors?

Tables?

Or my very favourite: last match wins, which shortens your ruleset considerably.


Anchors look suspiciously like creating a new chain in iptables. Tables there doesn't seem to be any direct analog, though can be done similarly by creating a chain that matches the list of addresses you're interested in and forwarding the rules there.

That said both of pf's versions look better than iptables. nftables looks like it does a better job of this like pf does, which is definitely a good thing.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: