I'd love something similarly scoped centered around nftables. Does anyone have a suggestion? I see No Starch has a Linux Firewall book, but it's from 2008 and is thus iptables-based.
It's a great book, I used to have some edition of it and it helped me a lot professionally with setting up firewalls, load balancing, traffic shaping and more.
I also had a book on Designing FreeBSD rootkits that was very educational.
Unfortunately I've given away all my books for more minimalistic living where I am instead dependent on digital information. Not sure how to feel about it.
What's everyone's experience with modern PF in production? Also, not to start a holy war, but what people think about modern PF vs nftables? I've only ever used nftables (and only in fairly simple scenarios) but I've always been curious about the PF side of the world.
For me, the decisive factor is readability as a safety mmechanism. When you are debugging a network outage at 3 AM, PF's syntax (pass in on $ext_if...) reads almost like English sentences.
nftables is technically powerful and faster than legacy iptables, but the cognitive load required to parse a complex ruleset is still higher than PF. In an operational context, clarity prevents outages. That alone makes PF the superior choice for edge firewalls where human auditability is critical.
8 comments
[ 4.8 ms ] story [ 23.7 ms ] threadI also had a book on Designing FreeBSD rootkits that was very educational.
Unfortunately I've given away all my books for more minimalistic living where I am instead dependent on digital information. Not sure how to feel about it.
nftables is technically powerful and faster than legacy iptables, but the cognitive load required to parse a complex ruleset is still higher than PF. In an operational context, clarity prevents outages. That alone makes PF the superior choice for edge firewalls where human auditability is critical.
- [0] https://www.netgate.com/blog/updates-to-the-pf-packet-filter...