Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
ZenoArrow 9 hours ago

> I've used pfsense, OpenWRT, Barracuda, Verizon's OEM router (Actiontec) and they all represent the same functionality wildly differently.

Worth noting that pfSense (and OPNsense) are not Linux-based, they're based on BSD, specifically FreeBSD. While it's possible to have standard router OS web UIs that are cross platform, the underlying technology is different, so it's not really a surprise that there will be differences in how the devices running these OSes are configured.

lstodd 8 hours ago | parent [-]

Not much different. FreeBSD's pf is a port of OpenBSD's pf, and nftables are heavily influenced by them.

At this point I rather doubt the sanity of people still sticking to iptables tbh.

So there is approximately one concept of "packet filter done right". UI madness is on UI authors.

johnmaguire 7 hours ago | parent | next [-]

The primary reason I stick to iptables instead of nft is that I already learned iptables decades ago, and some software I interact with still defaults to iptables and/or does not have full support for nft.

Why do you doubt the sanity of people sticking to iptables? What makes nft compelling?

hurricanepootis 2 hours ago | parent | next [-]

There is iptables-nft, which is iptables with an NFT backend.

0xCMP 6 hours ago | parent | prev [-]

My main reason is that nft applies configs atomically. It also has very good tracing/debugging features for figuring out how and why things aren't working as expected.

That said, I think many distros are shipping `iptables` as the wrapper/compatibility layer over nft now anyways.

znpy 5 hours ago | parent [-]

as somebody that's not a network engineer by day and has barely grokked iptables, could you recommend some resources for learning nftables ?

craftkiller 7 hours ago | parent | prev [-]

> nftables are heavily influenced by them

Are they? I recently had to learn nftables and they seem to be iptables but with a slightly nicer syntax and without pre-defined chains. But otherwise, nftables directly maps to iptables and neither of them seem similar to pf.