[pkg-netfilter-team] Bug#1034819: nft default disabled

[Arturo Borrero Gonzalez]

reassign 1034819 debian-installer

On Tue, 25 Apr 2023 11:27:56 +0200 Bonno Bloksma <b.bloksma at tio.nl> wrote:
> Package: d-i
> Severity: minor
> 
> Dear Maintainer,
> 
> Testing with a new Debian bookworm install, downloaded apr 24 2023, I noticed my nftables.conf firewall configuration never gets loaded. 
> 
> After some testing a searching on the net I found it is disabled by default. As the /etc/nftables.conf file is marked executable by default this lead me to think it would get loaded by the service.
> As the default firewall in that file quite innocent I wonder why the service is not enabled by default?
> 
> In my case not getting any errors and having a proper config led me to believe my firewall was working.
> All services worked as well. Of course they did, there was no firewall. :-(
> 
> As Buster still had a working iptables I never noticed the problem there, not even when I converted some of my itables config to a nft config file.
> All my services still worked after the conversion so I assumed the conversion was successfull.
> Never realizing the filewall config never got loaded and there was no filewall at all, so my services did indeed work as there was nothing to block it. :-(
> 
> Bookworm does not have iptables anymore by default, it should have at least one acvtive firewall.
> Please by default enable the nft service during install and have it load the (innocent) default config in /etc/nftables.conf 
> 
> 

The recommended firewall for Debian is the firewalld utility. The default should 
be to have firewalld up and running. This is since Debian 11 Bullseye [0].

I don't think there is nothing wrong in the nftables package.

Please Debian installer folks, what would we need for tasksel to enable 
firewalld by default? (if tasksel is the right place).

regards.

[0] https://lists.debian.org/debian-devel/2019/07/msg00332.html