Future Proofing the FreePBX Firewall

Currently FreePBX relies on iptables for the system firewall (as many still do), however, more modern OS releases are starting to move away from iptables in favor of nf_tables. By this, I mean they will completely remove the use in future releases.

Right now with Debian 12 the OS uses nf_tables as the backend when using iptables via the iptables-nft layer. I would suspect that 13 or 14 will be the point when iptables is fully replaced by nf_tables.

While nf_tables can do a lot or more than iptables, the one thing it cannot do is string matching right now. I know there are a couple STRING based rules in the FreePBX firewall…like for checking Let’s Encrypt renewals…

I’m going to say at some point, soon, looking at converting from iptables to nf_tables will need to be done.

1 Like

Yes, I do know that with Debian 12 the iptables-nft layer will convert the iptables rules to nf_tables tables and rules but it doesn’t look like all gets converted so need to verify what is missing…I know for sure the Let’s Encrypt stuff doesn’t move due to string matching not existing.

A post was split to a new topic: Trunking issue