NEWS: Linux Gets New Firewall

Say hello to the new Linux firewall, nftables...
March 26, 2009 -- 

The Linux firewall of the last eight years, iptables, will soon be ditched to make way for its successor, nftables.

Announced with little fanfare last week by iptables developer Patrick McHardy, the launch of the nftables alpha has barely been mentioned by the press.

That's somewhat surprising, considering the new software will represent the biggest change to Linux firewalling since the introduction of iptables in 2001.

Gordon 'Fyodor' Lyon, the creator of the nmap security scanning tool, says he's excited by the alpha release.

"I'm... looking forward to its general release in the mainstream Linux kernel," he told Risky.Biz. "The previous transitions from ipfwadm to ipchains and then to netfilter (iptables) each brought a new, more powerful firewall interfaces to the user. I expect nftables to do the same."

Administrators who learn the nftables syntax will find it much more expressive and easier to read, Lyon added.

Melbourne-based CSO Adam Pointon says he's surprised the announcement hasn't made more of a splash.

"It's the next generation Linux firewall," he says. "It's a significant milestone and people should pay attention to it."

However, it's not great news for everyone. Iptables and netfilter will be phased out as nftables becomes the norm, Pointon says, which could create some extra work for security appliance manufacturers.

"Iptables is used heavily by lots of UTM products, like routers, DSL modems and the like," he says. "Support will end for that code and everyone will move to nftables. So all the Linux boxes out there using it... will eventually have to re-write all their stuff or wind up using old, unsupported code."

The new firewall has native IPv6 support and userland queuing. "Snort and anything at that layer will be better integrated," Pointon says, adding that nftables will be faster, process rules more efficiently and allow administrators more control at the userland level.

The code base is also significantly smaller. "That can only be a good thing for its security," Pointon says. "It will take Linux firewalling to the next level."

While the alpha release is available now, nftables will go through an extensive beta testing phase before finding itself included in the Linux Kernel.