Replace iptables with nftables
-
Glad to know about it.
-
Thanks for the info. We in fact want to move to ufw instead. It seems most users are more comfortable with ufw and not iptables which is too low level.
-
Thanks for the info. We in fact want to move to ufw instead. It seems most users are more comfortable with ufw and not iptables which is too low level.
@girish the main issue with ufw is that is doesn't support managing any rules in specific chains. (for example the important INPUT chain or the custom CLOUDRON chain).
We need ways for at least this to be able to fully manage the range of apps and services we need.
-
@robi In the recent release, we added a way to blacklist IPs and also whitelist additional ports. Do these two things cover most cases? https://docs.cloudron.io/networking/#firewall
@girish ooh that's great! I knew about the blocklist (bye-bye .cn) but not the whitelist.
can you add a udp port example to the whitelist docs?
I keep struggling to keep mosh accessible after a cloudron reboot and it would make sense to simply add mosh support to the default install. (thoughts?)
It's also not clear if IP port ranges are supported in the whitelist. (mosh ports listed as: 60000-60010 or 60000:60010 didn't work.)
Do I need to list all the ports in the range?
Also, why does the cloudron-firewall restart take so long? 15-20secs is disturbingly long.
json is ugh, does it make sense to also convert it to plain text like the blocklist?
-
@robi said in Replace iptables with nftables:
can you add a udp port example to the whitelist docs?
Currently, only tcp is supported. I will look into adding udp, it should be straightforward.
Also, why does the cloudron-firewall restart take so long? 15-20secs is disturbingly long.
I think that's the time the kernel is taking to add your blocklist to ipset. I imagine it's pretty big? How many entries does it have?
-
@robi said in Replace iptables with nftables:
can you add a udp port example to the whitelist docs?
Currently, only tcp is supported. I will look into adding udp, it should be straightforward.
Also, why does the cloudron-firewall restart take so long? 15-20secs is disturbingly long.
I think that's the time the kernel is taking to add your blocklist to ipset. I imagine it's pretty big? How many entries does it have?
Currently, only tcp is supported. I will look into adding udp, it should be straightforward.
Hmm, then why am I seeing some of the udp ports I added?
I also see iptables -L | grep 50000:51000
what is this for? looks like a typo for mosh (60000-61000)I think that's the time the kernel is taking to add your blocklist to ipset. I imagine it's pretty big? How many entries does it have?
oh yes, 13,687 IPs in blocklist now (cn, ru), 25 seconds to load.
-
Currently, only tcp is supported. I will look into adding udp, it should be straightforward.
Hmm, then why am I seeing some of the udp ports I added?
I also see iptables -L | grep 50000:51000
what is this for? looks like a typo for mosh (60000-61000)I think that's the time the kernel is taking to add your blocklist to ipset. I imagine it's pretty big? How many entries does it have?
oh yes, 13,687 IPs in blocklist now (cn, ru), 25 seconds to load.
