NEWS: Linux Gets New Firewall
The Linux firewall of the last eight years, iptables, will soon be ditched to make way for its successor, nftables.
Announced with little fanfare last week by iptables developer Patrick McHardy, the launch of the nftables alpha has barely been mentioned by the press.
That's somewhat surprising, considering the new software will represent the biggest change to Linux firewalling since the introduction of iptables in 2001.
Gordon 'Fyodor' Lyon, the creator of the nmap security scanning tool, says he's excited by the alpha release.
"I'm... looking forward to its general release in the mainstream Linux kernel," he told Risky.Biz. "The previous transitions from ipfwadm to ipchains and then to netfilter (iptables) each brought a new, more powerful firewall interfaces to the user. I expect nftables to do the same."
Administrators who learn the nftables syntax will find it much more expressive and easier to read, Lyon added.
Melbourne-based CSO Adam Pointon says he's surprised the announcement hasn't made more of a splash.
"It's the next generation Linux firewall," he says. "It's a significant milestone and people should pay attention to it."
However, it's not great news for everyone. Iptables and netfilter will be phased out as nftables becomes the norm, Pointon says, which could create some extra work for security appliance manufacturers.
"Iptables is used heavily by lots of UTM products, like routers, DSL modems and the like," he says. "Support will end for that code and everyone will move to nftables. So all the Linux boxes out there using it... will eventually have to re-write all their stuff or wind up using old, unsupported code."
The new firewall has native IPv6 support and userland queuing. "Snort and anything at that layer will be better integrated," Pointon says, adding that nftables will be faster, process rules more efficiently and allow administrators more control at the userland level.
The code base is also significantly smaller. "That can only be a good thing for its security," Pointon says. "It will take Linux firewalling to the next level."
While the alpha release is available now, nftables will go through an extensive beta testing phase before finding itself included in the Linux Kernel.
A global vulnerability analysis…18 hours 12 min ago
In some cases, yes!18 hours 14 min ago
Handy talk for CIOs and CSOs...18 hours 15 min ago
How far do decent crypto controls get us?18 hours 17 min ago
A call to action for infosec pros…18 hours 20 min ago
- Since you asked...
17 hours 50 sec ago
- Love the Das Efx tribute.
11 weeks 1 day ago
- LOL so no comment by Adobe's
12 weeks 2 days ago
- Welcome back, great stuff as
14 weeks 6 days ago
- AEDs are very accurate and
21 weeks 2 days ago
- I did see that after we
21 weeks 4 days ago
- Great podcast, a small
22 weeks 3 days ago
- Peck of pickled peppers? We
25 weeks 1 day ago
- Link to Sophail: Applied
27 weeks 6 days ago
- Fixed. I got autocorrected...
30 weeks 1 day ago