When examining Linux firewall performance, there is a second aspect to packet processing—namely, the cost of firewall setup manipulations. In a world of containers, distinct network nodes spawn quickly enough for firewall ruleset adjustment delay to become a significant factor. At the same time, rulesets tend to become huge given the number of containers even a moderately specced server might host.
In the past, considerable effort was put into legacy
iptables to speed up the handling of large rulesets. With the recent push upstream and downstream to establish
iptables-nft as the standard variant, a reassessment of this quality is in order. To see how bad things really are, I created a bunch of benchmarks to run with both variants and compare the results.
Continue reading “Optimizing iptables-nft large ruleset performance in user space”
Firewalld, the default firewall management tool in Red Hat Enterprise Linux and Fedora, has gained long sought support for nftables. This was announced in detail on firewalld’s project blog. The feature landed in the firewalld 0.6.0 release as the new default firewall backend.
The benefits of nftables have been outlined on the Red Hat Developer Blog:
There are many longstanding issues with firewalld that we can address with nftables that were not possible with the old iptables backend. The nftables backend allows the following improvements:
Continue reading “Firewalld: The Future is nftables”
Wanting to become familiar with nftables, I decided to jump in at the deep end and just use it on my local workstation. The goal was to replace the existing iptables setup, ideally without any drawbacks. The following essay will guide you through what I have done in order to achieve that.
Continue reading “Migrating my iptables setup to nftables”
The sheer number of tasks involved in building out automation infrastructure for a new organization never ceases to amaze me. One of the most often overlooked groups of tasks, however, is security. Though I am in no way a security expert, I know there are some basic steps we should take to protect ourselves and our precious systems.
I also know that not everyone who administers RHEL systems has an extensive background working with Linux. If, like me, you’re normally a Windows admin, yet you find yourself having to secure a RHEL system, fret not. Here are some tips for adapting what you already know about Windows security best practices to RHEL environments.
(Some of) The Basics
For our purposes here, I’m going to run through three things that I would do quickly on Windows and discuss their equivalent on RHEL. We’re in no danger of this becoming a comprehensive guide. As far as starting points go, it should be fair enough.
- Software Updates
- User/Group Isolation
- Port Closings
Continue reading “CI Security on Red Hat Enterprise Linux from a Windows Perspective”