Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: is nft running? how do I get info?
1,541 views
Skip to first unread message
Dan Ritter
Apr 24, 2023, 8:50:06 AM4/24/23
to
Bonno Bloksma wrote:
> Hi,
>
> After years of using ipchains and later iptables as firewall I am now trying to use nft. :-)
>
> I thought I understood it all and as far as I know I have a working config. But just trying to get a listing of the running config shows NOTHING.
> linbookwormtest:~# nft list ruleset
> linbookwormtest:~#
That says that you have no firewall set up.
All Linux kernel firewalls are implemented via nft, even if you are
using iptables or ufw or some other system.
>
> There is nothing in the journal about nft
> linbookwormtest:~# journalctl -t nft
> -- Journal begins at Mon 2023-03-27 13:07:50 CEST, ends at Mon 2023-04-24 12:18:07 CEST. --
> -- No entries --
Try this:
$ lsmod | grep nft
I get:
nft_chain_nat 16384 3
nf_nat 57344 2 nft_chain_nat,xt_MASQUERADE
nft_compat 20480 25
x_tables 53248 13
xt_conntrack,nft_compat,xt_multiport,xt_state,xt_tcpudp,xt_tcpmss,xt_addrtype,xt_CHECKSUM,xt_recent,xt_set,ipt_REJECT,xt_MASQUERADE,ip6t_REJECT
nft_counter 16384 52
nf_tables 253952 153
nft_compat,nft_counter,nft_chain_nat
nfnetlink 20480 5
nft_compat,nf_conntrack_netlink,nf_tables,ip_set
> So nothing, not even a warning or an error. So how do I know if nft is running at all? I am guessing it does NOT run because.....
> Even using just the default ruleset in /etc/nftables.conf shows nothing in the logs. It should at least show something right?
It's not a matter of running, it's a matter of whether rules
have been loaded.
> Now whether I have those SSH lines enabled or disable them makes no difference, I can still logon using ssh. :-(
>
> How, how do I continue? It isn't even working on a clean install of Debian bookworm with the default config file.
Try:
# nft -f /etc/nftables.conf
# nft list ruleset
I suspect you just don't have anything loading the rules.
-dsr-
> Hi,
>
> After years of using ipchains and later iptables as firewall I am now trying to use nft. :-)
>
> I thought I understood it all and as far as I know I have a working config. But just trying to get a listing of the running config shows NOTHING.
> linbookwormtest:~# nft list ruleset
> linbookwormtest:~#
That says that you have no firewall set up.
All Linux kernel firewalls are implemented via nft, even if you are
using iptables or ufw or some other system.
>
> There is nothing in the journal about nft
> linbookwormtest:~# journalctl -t nft
> -- Journal begins at Mon 2023-03-27 13:07:50 CEST, ends at Mon 2023-04-24 12:18:07 CEST. --
> -- No entries --
Try this:
$ lsmod | grep nft
I get:
nft_chain_nat 16384 3
nf_nat 57344 2 nft_chain_nat,xt_MASQUERADE
nft_compat 20480 25
x_tables 53248 13
xt_conntrack,nft_compat,xt_multiport,xt_state,xt_tcpudp,xt_tcpmss,xt_addrtype,xt_CHECKSUM,xt_recent,xt_set,ipt_REJECT,xt_MASQUERADE,ip6t_REJECT
nft_counter 16384 52
nf_tables 253952 153
nft_compat,nft_counter,nft_chain_nat
nfnetlink 20480 5
nft_compat,nf_conntrack_netlink,nf_tables,ip_set
> So nothing, not even a warning or an error. So how do I know if nft is running at all? I am guessing it does NOT run because.....
> Even using just the default ruleset in /etc/nftables.conf shows nothing in the logs. It should at least show something right?
It's not a matter of running, it's a matter of whether rules
have been loaded.
> Now whether I have those SSH lines enabled or disable them makes no difference, I can still logon using ssh. :-(
>
> How, how do I continue? It isn't even working on a clean install of Debian bookworm with the default config file.
Try:
# nft -f /etc/nftables.conf
# nft list ruleset
I suspect you just don't have anything loading the rules.
-dsr-
Anssi Saari
Apr 24, 2023, 11:10:07 AM4/24/23
to
Bonno Bloksma <b.bl...@tio.nl> writes:
> Hi,
>
> After years of using ipchains and later iptables as firewall I am now trying to use nft. :-)
>
> I thought I understood it all and as far as I know I have a working config. But just trying to get a listing of the running config shows NOTHING.
> linbookwormtest:~# nft list ruleset
> linbookwormtest:~#
>
> Hi,
>
> After years of using ipchains and later iptables as firewall I am now trying to use nft. :-)
>
> I thought I understood it all and as far as I know I have a working config. But just trying to get a listing of the running config shows NOTHING.
> linbookwormtest:~# nft list ruleset
> linbookwormtest:~#
>
> There is nothing in the journal about nft
> linbookwormtest:~# journalctl -t nft
> -- Journal begins at Mon 2023-03-27 13:07:50 CEST, ends at Mon 2023-04-24 12:18:07 CEST. --
> -- No entries --
Debian's nftables package includes a systemd service to run
> linbookwormtest:~# journalctl -t nft
> -- Journal begins at Mon 2023-03-27 13:07:50 CEST, ends at Mon 2023-04-24 12:18:07 CEST. --
> -- No entries --
nftables. You might want to run systemctl status nftables first and
then enable and to start the service.
I wonder how you used iptables? I always used a script for that but I
had to run it too for changes...
Stanislav Vlasov
Apr 25, 2023, 5:20:07 AM4/25/23
to
вт, 25 апр. 2023 г. в 13:32, Bonno Bloksma <b.bl...@tio.nl>:
> linbookwormtest:~# service nft status
> Unit nft.service could not be found.
> linbookwormtest:~#
$ sudo systemctl status nftables.service
● nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; disabled;
vendor preset: enabled)
Active: inactive (dead)
Docs: man:nft(8)
http://wiki.nftables.org
This is not true service, but only loader for /etc/nftables.conf rules
at boot, if enabled.
> Also trying command completion with the nft, or even nf, show no results. Using just the n for completion gives just the networking service.
nftables: /usr/sbin/nft
This is package, which can be installed or not.
And, if you use 'su' command, please use it right:
su -
> > I wonder how you used iptables? I always used a script for that but I had to run it too for changes...
> I allways had a script too. I had it hooked in /etc/network/interfaces via either a pre-up or post-up rule depending if there was a fixed ip or a dhcp line in the interfaces file.
> A default Debian install has an executable /etc/nftables.conf file. If nothing is looking at that file then what is the "normal" wat to start the firewall?
see above
> Do I hook it up via one of the old /etc/init.d/ scripts? Do I create a script in one of the /etc/rc?.d/ directories?
No. You may write some scripts in /etc/network subdirs, if you REALLY
need custom rules at interface up or down.
> Is this a bug?
No. But docs need to be read.
/usr/share/doc/nftables/README.Debian - good starting point.
--
Stanislav
> > Debian's nftables package includes a systemd service to run nftables. You might want to run systemctl status nftables first and then enable and to start the service.
> Unfortunately nft is not a service. Trying the service command with nft gives an error.
> linbookwormtest:~# service nft status
> Unit nft.service could not be found.
> linbookwormtest:~#
$ sudo systemctl status nftables.service
● nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; disabled;
vendor preset: enabled)
Active: inactive (dead)
Docs: man:nft(8)
http://wiki.nftables.org
This is not true service, but only loader for /etc/nftables.conf rules
at boot, if enabled.
> Also trying command completion with the nft, or even nf, show no results. Using just the n for completion gives just the networking service.
nftables: /usr/sbin/nft
This is package, which can be installed or not.
And, if you use 'su' command, please use it right:
su -
> > I wonder how you used iptables? I always used a script for that but I had to run it too for changes...
> A default Debian install has an executable /etc/nftables.conf file. If nothing is looking at that file then what is the "normal" wat to start the firewall?
see above
> Do I hook it up via one of the old /etc/init.d/ scripts? Do I create a script in one of the /etc/rc?.d/ directories?
No. You may write some scripts in /etc/network subdirs, if you REALLY
need custom rules at interface up or down.
> Is this a bug?
No. But docs need to be read.
/usr/share/doc/nftables/README.Debian - good starting point.
--
Stanislav
Christoph Brinkhaus
Apr 25, 2023, 5:21:48 AM4/25/23
to
Am Tue, Apr 25, 2023 at 07:58:56AM +0000 schrieb Bonno Bloksma:
Hi Bonno,
> Hi Anssi,
to enable the service and for digging in the logs. nft is used to
manage the filter. Please see
https://www.debian.org/doc/manuals/debian-handbook/sect.firewall-packet-filtering.en.html
Just as a reference the output from my system:
# systemctl status nftables
● nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor preset: enabled)
Active: active (exited) since Tue 2023-04-25 10:28:37 CEST; 26min ago
Process: 226 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=0/SUCCESS)
Main PID: 226 (code=exited,
status=0/SUCCESS)
CPU: 11ms
Apr 25 10:28:37 lenovo systemd[1]: Finished nftables.
Warning: journal has been rotated since unit was started, output may be
incomplete.
> Also trying command completion with the nft, or even nf, show no
> results. Using just the n for completion gives just the networking
nft -f /etc/nftables.conf. The default file does no filtering at all.
> If nothing is looking at that file then what is the "normal" wat to
> start the firewall? Do I hook it up via one of the old /etc/init.d/
> systemd service files? I don't even know where they are, I never
> touch them, too much can go wrong by not understanding how it all
> connects. If I install dhcp it comes with default config files. If
> I change them then THAT config gets loaded.
>
> If Debian does NOTHING with that nft config file then why is it
> there? Is this a bug?
Please enable the firewall by # systemctl enable nftables.service.
Then it should work.
Kind regards,
Christoph
--
Ist die Katze gesund
schmeckt sie dem Hund.
Hi Bonno,
> Hi Anssi,
>
> >> There is nothing in the journal about nft
> >> linbookwormtest:~#journalctl -t nft -- Journal begins at Mon
> >> There is nothing in the journal about nft
> >> 2023-03-27 13:07:50 CEST, ends at Mon 2023-04-24 12:18:07 CEST.
> >> -- -- No entries --
>
> > Debian's nftables package includes a systemd service to run
> > nftables. You might want to run systemctl status nftables first
> > and then enable and to start the service.
> >> -- -- No entries --
>
> > Debian's nftables package includes a systemd service to run
> > nftables. You might want to run systemctl status nftables first
> > and then enable and to start the service.
> Unfortunately nft is not a service. Trying the service command with
> nft gives an error. linbookwormtest:~# service nft status Unit
> nft.service could not be found. linbookwormtest:~#
The service is named nftables. This is the name which must be applied
> nft gives an error. linbookwormtest:~# service nft status Unit
> nft.service could not be found. linbookwormtest:~#
to enable the service and for digging in the logs. nft is used to
manage the filter. Please see
https://www.debian.org/doc/manuals/debian-handbook/sect.firewall-packet-filtering.en.html
Just as a reference the output from my system:
# systemctl status nftables
● nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor preset: enabled)
Active: active (exited) since Tue 2023-04-25 10:28:37 CEST; 26min ago
Process: 226 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=0/SUCCESS)
Main PID: 226 (code=exited,
status=0/SUCCESS)
CPU: 11ms
Apr 25 10:28:37 lenovo systemd[1]: Finished nftables.
Warning: journal has been rotated since unit was started, output may be
incomplete.
> Also trying command completion with the nft, or even nf, show no
> results. Using just the n for completion gives just the networking
> service.
>
> > I wonder how you used iptables? I always used a script for that
> > but I had to run it too for changes...
>
> > I wonder how you used iptables? I always used a script for that
> > but I had to run it too for changes...
> I allways had a script too. I had it hooked in
> /etc/network/interfaces via either a pre-up or post-up rule
> depending if there was a fixed ip or a dhcp line in the interfaces
> file.
>
> A default Debian install has an executable /etc/nftables.conf file.
This configuration is started by systemd with
> /etc/network/interfaces via either a pre-up or post-up rule
> depending if there was a fixed ip or a dhcp line in the interfaces
> file.
>
> A default Debian install has an executable /etc/nftables.conf file.
nft -f /etc/nftables.conf. The default file does no filtering at all.
> If nothing is looking at that file then what is the "normal" wat to
> scripts? Do I create a script in one of the /etc/rc?.d/ directories?
> I am pretty sure they don't expect every novice to start writing
> systemd service files? I don't even know where they are, I never
> touch them, too much can go wrong by not understanding how it all
> connects. If I install dhcp it comes with default config files. If
> I change them then THAT config gets loaded.
>
> If Debian does NOTHING with that nft config file then why is it
> there? Is this a bug?
Please enable the firewall by # systemctl enable nftables.service.
Then it should work.
Kind regards,
Christoph
--
Ist die Katze gesund
schmeckt sie dem Hund.
Anssi Saari
Apr 25, 2023, 6:10:07 AM4/25/23
to
Bonno Bloksma <b.bl...@tio.nl> writes:
> Also trying command completion with the nft, or even nf, show no
> results. Using just the n for completion gives just the networking
> service.
It seems others covered your other issues so I'll just comment on this.
> Also trying command completion with the nft, or even nf, show no
> results. Using just the n for completion gives just the networking
> service.
Maybe your command completion is just bad? I can't complete service
names either, with bash. In zsh completion works out of the box and
that's one reason I use it, instead of bash.
Greg Wooledge
Apr 25, 2023, 7:20:05 AM4/25/23
to
On Tue, Apr 25, 2023 at 02:11:45PM +0500, Stanislav Vlasov wrote:
> And, if you use 'su' command, please use it right:
> su -
There are many "right" ways to elevate privileges. See
> And, if you use 'su' command, please use it right:
> su -
<https://wiki.debian.org/NewInBuster#Changes> for more options.
David Wright
Apr 25, 2023, 9:00:06 AM4/25/23
to
On Tue 25 Apr 2023 at 08:59:23 (+0000), Bonno Bloksma wrote:
>
> Did I discover a bug in the bookwork release? I think we can argue both for and against but I am calling it a bug.
>
> It seems the bookworm release comes with NO firewall solution enabled !
> Iptables is no longer installed by default
> The nft service is NOT enabled by default.
>
> After searching some more I found "Enable and start the nftables service by":
> sudo systemctl enable nftables
> sudo systemctl start nftables.
> Looking at the sudo stuff it must have been written for Ubuntu. And indeed, I now have a nft service that will by default load the /etc/nftables.conf file :-)
> The start command in itself is not needed, it just starts the firewall right away.
>
> I do NOT understand why it is not enabled by default with the default config as it is.
> The firewall in itself is open enough that it does not block stuff, but it does allow someone to build upon or to replace it with a proper firewall.
>
> There probably was a discussion about it sometime in the past and this is what "they" came up with.
> Still, I think there should be a better way, have a default (semi) open firewall and have it enabled by default.
>
> Now all I need to do is go to my existing Buster installs and enable the firewall. It seems after I changed the iptables script to a nft config I have been running my buster machines with a proper nft config that NEVER got loaded. :-(
It seems like you missed reading the Release Notes:
§2.2.6 Network filtering based on nftables framework by default
and the reference there to https://wiki.debian.org/nftables
which has its § "nftables in Debian the easy way".
Cheers,
David.
>
> Did I discover a bug in the bookwork release? I think we can argue both for and against but I am calling it a bug.
>
> It seems the bookworm release comes with NO firewall solution enabled !
> Iptables is no longer installed by default
> The nft service is NOT enabled by default.
>
> After searching some more I found "Enable and start the nftables service by":
> sudo systemctl enable nftables
> sudo systemctl start nftables.
> Looking at the sudo stuff it must have been written for Ubuntu. And indeed, I now have a nft service that will by default load the /etc/nftables.conf file :-)
> The start command in itself is not needed, it just starts the firewall right away.
>
> I do NOT understand why it is not enabled by default with the default config as it is.
> The firewall in itself is open enough that it does not block stuff, but it does allow someone to build upon or to replace it with a proper firewall.
>
> There probably was a discussion about it sometime in the past and this is what "they" came up with.
> Still, I think there should be a better way, have a default (semi) open firewall and have it enabled by default.
>
> Now all I need to do is go to my existing Buster installs and enable the firewall. It seems after I changed the iptables script to a nft config I have been running my buster machines with a proper nft config that NEVER got loaded. :-(
It seems like you missed reading the Release Notes:
§2.2.6 Network filtering based on nftables framework by default
and the reference there to https://wiki.debian.org/nftables
which has its § "nftables in Debian the easy way".
Cheers,
David.
songbird
Apr 25, 2023, 12:00:06 PM4/25/23
to
Bonno Bloksma wrote:
...
> Why, now that we are at bookworm, is the nftables service not enabled by default? With a default ruleset that pretty much leaves it all open but is a starting point.
> If we do not want that, then at least the default config should contain a warning about first enabling the service or scripting something to have it working (after a reboot).
>
> I think this is the first time I have come across something in Debian that after being installed by default does nothing, even when provided with a valid config file at the proper location.
> I consider that a bug.
>
> Here is something similar.
> Consider opening your door with a key. Every time you open the door with the key it opens. All is well, you bought the cylinder and key for the lock at a very good locksmith. You told him you had been installing cylinders In doors for years and you were able to insert this cylinder in the door.
> Until sometime later you find out the door never locks, it is always open, that is why you could always enter.
> It turns out you first need to enable the cylinder before it did something useful with the key provided.
> That was something completely new, you never heard of it before, neither do I though. ;-)
>
> Bonno Bloksma
not everyone wants a firewall installed on their system
(non-desktop users or embedded systems being two examples
that easily come to mind).
i think for most desktop installs there should be a minimal
firewall installed but then you get into the issue of which one?
personally i run ufw.
songbird
...
> Why, now that we are at bookworm, is the nftables service not enabled by default? With a default ruleset that pretty much leaves it all open but is a starting point.
> If we do not want that, then at least the default config should contain a warning about first enabling the service or scripting something to have it working (after a reboot).
>
> I think this is the first time I have come across something in Debian that after being installed by default does nothing, even when provided with a valid config file at the proper location.
> I consider that a bug.
>
> Here is something similar.
> Consider opening your door with a key. Every time you open the door with the key it opens. All is well, you bought the cylinder and key for the lock at a very good locksmith. You told him you had been installing cylinders In doors for years and you were able to insert this cylinder in the door.
> Until sometime later you find out the door never locks, it is always open, that is why you could always enter.
> It turns out you first need to enable the cylinder before it did something useful with the key provided.
> That was something completely new, you never heard of it before, neither do I though. ;-)
>
> Bonno Bloksma
not everyone wants a firewall installed on their system
(non-desktop users or embedded systems being two examples
that easily come to mind).
i think for most desktop installs there should be a minimal
firewall installed but then you get into the issue of which one?
personally i run ufw.
songbird
David Wright
Apr 25, 2023, 2:20:05 PM4/25/23
to
On Tue 25 Apr 2023 at 15:21:50 (+0000), Bonno Bloksma wrote:
> I consider not having nftable enabled by default in bookworm a bug, let me explain why...
> I can understand nft not being enabled by default in Buster, we still had a fully functional iptables at that point, I guess most of us still used it at that time.
Those (ie you) were the people for whom the Release Notes were written.
> > and the reference there to https://wiki.debian.org/nftables which has its § "nftables in Debian the easy way".
> This still talks about installing nftables, that is also very old.
>
> But yes, I must have missed it because I never enabled the nftables "service".
That's what I thought. But it's only old because this was all
documented two releases ago.
> What I am talking about now is that iptables is gone (by default).
Yes, they wrote "nftables provides a full replacement for iptables", …
"This change is in line with what other major Linux distributions are doing".
And the wiki: "the iptables utility may not be installed in a system by default."
If you were an iptables user, you'd have found in NEWS.Debian:
"iptables is no longer Priority: important. This means it is not
installed by default in every system. It has been replaced by nftables"
and there was advice on tools for converting iptables into nftables
configurations, spelled out in README.Debian.
> There is also a default nftables.conf file, but ... it is almost useless and even misleading because it never gets used.
> And unless you make an obvious error and NOT expect your service(s) to work why would you be surprised when the (non existing) firewall enables the services to work as they should?
AFAICT all your complaints are answered in the wiki and the iptables
documentation, and changes really ought not to come as a surprise.
> In all the 20+ years I have been writing firewalls I have always written them by starting from a closed firewall to open just the right services/ports. I would never test if something worked for which I never opened the corresponding port, why would I? I would test if something worked for which I had supposedly opened the correct network port.
> Also in those days with ipchains and iptables there were scripts and if there was an error I would see it when testing the script.
>
> If I test the /etc/nftables.conf file as a script it will even work flawlessly with no errors. I can even use the nft list ruleset command afterwards to see I have a working firewall.
> Unfortunately that works only until the next reboot, but why would I think so?
started automatically just because they have been installed.
My recollection is that is was unix old-timers who maintained that
they ought not to be. And …
> Here is something similar.
> Consider opening your door with a key. Every time you open the door with the key it opens. All is well, you bought the cylinder and key for the lock at a very good locksmith. You told him you had been installing cylinders In doors for years and you were able to insert this cylinder in the door.
> Until sometime later you find out the door never locks, it is always open, that is why you could always enter.
> It turns out you first need to enable the cylinder before it did something useful with the key provided.
> That was something completely new, you never heard of it before, neither do I though. ;-)
And the opposing view, a more likely scenario: you have new locks
fitted. Unfortunately, the first time you go out, you pocket your
keys as usual and walk out, closing the door behind you. Later you
find you hadn't yet fitted the new key onto your keyring…
Cheers,
David.
> I consider not having nftable enabled by default in bookworm a bug, let me explain why...
>
> >> It seems the bookworm release comes with NO firewall solution enabled !
> >> Iptables is no longer installed by default
> >> The nft service is NOT enabled by default.
>
> >> It seems the bookworm release comes with NO firewall solution enabled !
> >> Iptables is no longer installed by default
> >> The nft service is NOT enabled by default.
>
> > It seems like you missed reading the Release Notes:
> >
> > §2.2.6 Network filtering based on nftables framework by default
>
> Ok, I was "talking" about bookworm, these are the release notes for Buster, not even Bullseye. I was not interested in nft at that time and probably glanced over it.
> >
> > §2.2.6 Network filtering based on nftables framework by default
>
> I can understand nft not being enabled by default in Buster, we still had a fully functional iptables at that point, I guess most of us still used it at that time.
Those (ie you) were the people for whom the Release Notes were written.
> > and the reference there to https://wiki.debian.org/nftables which has its § "nftables in Debian the easy way".
>
> But yes, I must have missed it because I never enabled the nftables "service".
That's what I thought. But it's only old because this was all
documented two releases ago.
> What I am talking about now is that iptables is gone (by default).
Yes, they wrote "nftables provides a full replacement for iptables", …
"This change is in line with what other major Linux distributions are doing".
And the wiki: "the iptables utility may not be installed in a system by default."
If you were an iptables user, you'd have found in NEWS.Debian:
"iptables is no longer Priority: important. This means it is not
installed by default in every system. It has been replaced by nftables"
and there was advice on tools for converting iptables into nftables
configurations, spelled out in README.Debian.
> There is also a default nftables.conf file, but ... it is almost useless and even misleading because it never gets used.
> And unless you make an obvious error and NOT expect your service(s) to work why would you be surprised when the (non existing) firewall enables the services to work as they should?
AFAICT all your complaints are answered in the wiki and the iptables
documentation, and changes really ought not to come as a surprise.
> In all the 20+ years I have been writing firewalls I have always written them by starting from a closed firewall to open just the right services/ports. I would never test if something worked for which I never opened the corresponding port, why would I? I would test if something worked for which I had supposedly opened the correct network port.
> Also in those days with ipchains and iptables there were scripts and if there was an error I would see it when testing the script.
>
> If I test the /etc/nftables.conf file as a script it will even work flawlessly with no errors. I can even use the nft list ruleset command afterwards to see I have a working firewall.
> Unfortunately that works only until the next reboot, but why would I think so?
>
> Why, now that we are at bookworm, is the nftables service not enabled by default? With a default ruleset that pretty much leaves it all open but is a starting point.
> If we do not want that, then at least the default config should contain a warning about first enabling the service or scripting something to have it working (after a reboot).
>
> I think this is the first time I have come across something in Debian that after being installed by default does nothing, even when provided with a valid config file at the proper location.
> I consider that a bug.
Debates have raged in the past about whether services should be
> Why, now that we are at bookworm, is the nftables service not enabled by default? With a default ruleset that pretty much leaves it all open but is a starting point.
> If we do not want that, then at least the default config should contain a warning about first enabling the service or scripting something to have it working (after a reboot).
>
> I think this is the first time I have come across something in Debian that after being installed by default does nothing, even when provided with a valid config file at the proper location.
> I consider that a bug.
started automatically just because they have been installed.
My recollection is that is was unix old-timers who maintained that
they ought not to be. And …
> Here is something similar.
> Consider opening your door with a key. Every time you open the door with the key it opens. All is well, you bought the cylinder and key for the lock at a very good locksmith. You told him you had been installing cylinders In doors for years and you were able to insert this cylinder in the door.
> Until sometime later you find out the door never locks, it is always open, that is why you could always enter.
> It turns out you first need to enable the cylinder before it did something useful with the key provided.
> That was something completely new, you never heard of it before, neither do I though. ;-)
fitted. Unfortunately, the first time you go out, you pocket your
keys as usual and walk out, closing the door behind you. Later you
find you hadn't yet fitted the new key onto your keyring…
Cheers,
David.
0 new messages