From f901327c92964bf19c56d19d91d992a5b48a74ab Mon Sep 17 00:00:00 2001 From: Alexis Date: Mon, 7 Sep 2020 15:03:31 +1000 Subject: [PATCH] : Split "Firewalls" section into distinct sections. --- src/SUMMARY.md | 3 +- src/config/network/index.md | 9 ++++ .../network/{firewalls.md => iptables.md} | 45 ++----------------- src/config/network/nftables.md | 38 ++++++++++++++++ 4 files changed, 52 insertions(+), 43 deletions(-) rename src/config/network/{firewalls.md => iptables.md} (50%) create mode 100644 src/config/network/nftables.md diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 9bccd5190..86ad1cb58 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -32,11 +32,12 @@ - [Kernel](./config/kernel.md) - [Power Management](./config/power-management.md) - [Network](./config/network/index.md) - - [Firewalls](./config/network/firewalls.md) - [wpa_supplicant](./config/network/wpa_supplicant.md) - [IWD](./config/network/iwd.md) - [NetworkManager](./config/network/networkmanager.md) - [ConnMan](./config/network/connman.md) + - [iptables](./config/network/iptables.md) + - [nftables](./config/network/nftables.md) - [Network Filesystems](./config/network-filesystems.md) - [Session and Seat Management](./config/session-management.md) - [Graphical Session](./config/graphical-session/index.md) diff --git a/src/config/network/index.md b/src/config/network/index.md index 702560e08..ac6a71d9c 100644 --- a/src/config/network/index.md +++ b/src/config/network/index.md @@ -57,3 +57,12 @@ Void provides several ways to connect to wireless networks: - [iwd](./iwd.md) - [NetworkManager](./networkmanager.md) - [ConnMan](./connman.md) + +## Firewalls + +By default, the `iptables` package is installed on the base system. However, +iptables is now considered deprecated on Linux, with nftables as its +replacement. + +- [iptables](./iptables.md) +- [nftables](./nftables.md) diff --git a/src/config/network/firewalls.md b/src/config/network/iptables.md similarity index 50% rename from src/config/network/firewalls.md rename to src/config/network/iptables.md index 5a0309e76..f4b5939e2 100644 --- a/src/config/network/firewalls.md +++ b/src/config/network/iptables.md @@ -1,6 +1,4 @@ -# Firewalls - -## iptables +# iptables By default, the `iptables` package is installed on the base system. It provides [iptables(8)/ip6tables(8)](https://man.voidlinux.org/iptables.8). The related @@ -11,7 +9,7 @@ system administrator. Two example rulesets are provided in the `/etc/iptables` directory: `empty.rules` and `simple_firewall.rules`. -### Applying the rules at boot +## Applying the rules at boot To apply iptables rules at runit stage 1, install the `runit-iptables` package. This adds a core-service which restores the `iptables.rules` and @@ -37,7 +35,7 @@ After rebooting, check the active firewall rules: # ip6tables -L ``` -### Applying the rules at runtime +## Applying the rules at runtime `iptables` comes with two runit services, `iptables` and `ip6tables`, to quickly flush or restore the `iptables.rules` and `ip6tables.rules` rulesets. Once these @@ -53,40 +51,3 @@ and restore them by upping the relevant service, e.g.: ``` # sv up ip6tables ``` - -## nftables - -`nftables` replaces `iptables`, `ip6tables`, `arptables` and `ebtables` -(collectively referred to as `xtables`). The [nftables -wiki](https://wiki.nftables.org/wiki-nftables/index.php/Main_Page) describes -[the main -differences](https://wiki.nftables.org/wiki-nftables/index.php/Main_differences_with_iptables) -from the `iptables` toolset. - -To use `nftables`, install the `nftables` package, which provides -[nft(8)](https://man.voidlinux.org/nft.8). It also provides -[iptables-translate(8)/ip6tables-translate(8)](https://man.voidlinux.org/iptables-translate.8) -and -[iptables-restore-translate(8)/ip6tables-restore-translate(8)](https://man.voidlinux.org/iptables-restore-translate.8), -which convert `iptables` rules to `nftables` rules. - -### Applying the rules at boot - -To apply nftables rules at runit stage 1, install the `runit-nftables` package. -This adds a core-service which restores the ruleset in `/etc/nftables.conf`. - -### Applying the rules at runtime - -The `nftables` package provides the `nftables` service, which uses rules from -`/etc/nftables.conf`. Once you [enable](../services/index.md#enabling-service) -the `nftables` service, to load the rules, run: - -``` -# sv up nftables -``` - -To flush the rules, run: - -``` -# sv down nftables -``` diff --git a/src/config/network/nftables.md b/src/config/network/nftables.md new file mode 100644 index 000000000..1c9335ae0 --- /dev/null +++ b/src/config/network/nftables.md @@ -0,0 +1,38 @@ +# nftables + +`nftables` replaces `iptables`, `ip6tables`, `arptables` and `ebtables` +(collectively referred to as `xtables`). The [nftables +wiki](https://wiki.nftables.org/wiki-nftables/index.php/Main_Page) describes +[the main +differences](https://wiki.nftables.org/wiki-nftables/index.php/Main_differences_with_iptables) +from the `iptables` toolset. + +To use `nftables`, install the `nftables` package, which provides +[nft(8)](https://man.voidlinux.org/nft.8). It also provides +[iptables-translate(8)/ip6tables-translate(8)](https://man.voidlinux.org/iptables-translate.8) +and +[iptables-restore-translate(8)/ip6tables-restore-translate(8)](https://man.voidlinux.org/iptables-restore-translate.8), +which convert `iptables` rules to `nftables` rules. + +## Applying the rules at boot + +To apply nftables rules at runit stage 1, install the `runit-nftables` package. +This adds a core-service which restores the ruleset in `/etc/nftables.conf`. + +## Applying the rules at runtime + +The `nftables` package provides the `nftables` service, which uses rules from +`/etc/nftables.conf`. [Enabling](../services/index.md#enabling-services) the +service will load the rules. + +To flush the rules, run: + +``` +# sv down nftables +``` + +To re-load the rules, run: + +``` +# sv up nftables +```