Hacker News new | past | comments | ask | show | jobs | submit login

But don’t have to cobble together a bunch of arcane iptables commands and then combine bpf and other userland tools … when one can just use the clean syntax of PF especially for home use that’s a clear win.



I've used both extensively and I find eBPF+iptables (and sometimes nft) significantly more flexible and easier to use in the real world (not just simple examples) than PF. shrug


Do you have a sample or blogpost of how your setup looks? I’m keen to see how folks are using eBPF in the personal firewall space


> But don’t have to cobble together a bunch of arcane iptables commands

If you did manage to figure out the iptables commands you now have to change them over to nftables. :)


No, iptables is a perfectly functional nftables frontend


Not having to manage two rulesets -- one for IPv4 and one for IPv6 -- is pretty well a killer feature in my mind.


nftables is now almost 10 years old! It's time to forget the bad experiences with iptables.


I have -- I let the OpenBSD firewalls take care of it :P

Seriously though it's something I need to get familiar with, I do still have plenty of Linux boxes that face the public Internet and are currently dependent on iptables/ip6tables rulesets. The problem is I'm currently masking that pain with Ansible.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: