www.frozentux.net uses an invalid security certificate. The certificate expired on October 19, 2017, 9:59 PM. The current time is October 20, 2017, 11:04 AM.<p>Here's an alternate url<p><a href="https://web.archive.org/web/20170921014253/https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html" rel="nofollow">https://web.archive.org/web/20170921014253/https://www.froze...</a>
I hate to say it, but I will never forget the day I first stumbled upon PF.<p>Up to that point, setting up a router/firewall had been exceedingly painful, using Linux and iptables.<p>The syntax of pf.conf is beautiful. Somebody (I forgot who) once said that in order to write a rule set one needs to consult the (excellent) man page constantly, but once it is done, reading and <i>understanding</i> it takes no effort at all. As far as the "UI" goes, PF is so far ahead of anything I know of that most other metrics to judge a firewall / packet filter by seem to disappear.<p>Just to be clear: I have nothing against Linux, in fact most of my computers run Linux. But the syntax of pf.conf is just so sweet, once I tasted it, it spoiled me forever. And now iptables scripts look like something out of a Lovecraftian nightmare.
This tutorial is pretty old actually. Hope someone updates it, then we have nftables on the way to replace iptables, so might be just update to nftables directly.<p>I found 'nft', along with other commands such as 'ip' and 'tc' are pretty hard to use. I hope someone can create all possible auto-completion to guide the users, it is so hard to memorize those abbrev tags/options for those commands.
For those referring nftables, there’s a LOT of stuff in iptables that doesn't work in nftables: from simple things like xt_time to complex ones like xt_TPROXY. so nftables isn't a viable replacement for iptables just yet. In theory there's a compat layer in nftables to get around those, but I have never able to successfully build a binary that works.
I'm currently working on an nftables setup script (removes iptables). I plan to release under gplv3. As I understand it nftables is designed to replace iptables (though they both use netfilter methinks), so I am ripping out iptables everywhere currently.<p>That said, I love the effort in this documentation.
Eventually someone or me should make a firewall 'fs' with fuse, it would map nicely and would be much less of a pain in the ass to work with.