nftables wrapper? How do you manage nftables on servers?

[blunix]

I used shorewall on servers for ages and I'm super happy with it. Sadly it runs on iptables and has no intention of migrating to nftables.

There is firewalld, but it doesn't have an option to log dropped/rejected packets based on zones. You can just log everything, which is total nonsense as I dont need a log of all the portscans that are just like rain on your cars windshield. What I want is only dropped/rejected outgoing packets, or better said from all zones EXCEPT "public".

There seems to be no better wrapper so far. I'm kinda considering doing nftables "oldschool" by writing a wrapper in ansible. But thats pretty meh, as it makes sense to have a project maintain a firewall wrapper.

Any suggestions?

 

[CaffeineAddict]

What I want is only dropped/rejected outgoing packets, or better said from all zones EXCEPT "public".

I think you don't need a wrapper, I'm fan of nftables and rsyslog to log only dropped packets, firewalld can also be configured to log packets with rsyslog.

rsyslog config file accepts regex syntax which should let you log either all dropped packets and possibly based on NIC being used (ex. the one used by your zone).
How you define your regex depends on the log output of firewalld.

nftables logs packets to kern.log iirc so here is my sample rsyslog config file which redirects all nftables log entries to a separate file:

# System wide configuration file: /etc/rsyslog.conf
# Includes files: /etc/rsyslog.d/
# This config: /etc/rsyslog.d/nftables.conf
# https://www.rsyslog.com/doc/configuration/filters.html

# sudo systemctl restart rsyslog.service

# Log messages generated by nftables
:msg, regex, "IN=[A-Za-z0-9]* OUT=" /var/log/nftables/nftables.log

# Stop processing it further
& stop

If you need help with regex to filter desired dropped packets, please share sample log output which you wish to filter that is being generated by firewalld

 

[blunix]

can also be configured to log packets with rsyslog.

i'm on systemd-journald - i can filter this out but meh... I want the firewall wrapper to do this.

I know I dont have to have a wrapper but it would make things simpler.. Having shorewall was a TON better than manually messing with iptables. Its much more easy to manage for the customers as well. I can't give them an iptables / nftables script, thats to complicated to understand for them.

 

[blunix]

If you need help with regex

thats a LLM thing by now. Nobody does this by hand anymore I think, I just read them to verify that its not "LLM fantasy", but writing them takes much longer then telling the LLM "parse this into this".