How to confirm that nftables is enabled & in use?

Someone told me that even if a nmap scan reports that all ports are closed it does not guarantee that nftables is actually protecting the system. Is just means that there are no services listening on any ports.

Which command will confirm that nftables is actually active & protecting my installation ?

I am using the firewalld to manage nftables. Arch Wiki says this

One graphical front-end that supports both, nftables and iptables, is firewalld.[3]

Does this work: sudo nftables status. It works for ufw (an alternative way of setting a firewall, one which I use).

ufw & firewalld are basically created for the same purpose which is to help the user to configure iptables or nftables in an easy way. Neither ufw or firewalld are firewalls by themselves. They are called “helpers”. The actual job of protecting the system is done by iptables/nftables. Nftables is the new kid & most modern distros have started replacing iptables with nftables.

$ sudo nftables status
[sudo] password for home:
sudo: nftables: command not found

I think you have to use $ nft

$ man nft

For sure, understood. It was worth a shot though. :grin:

1 Like

Excuse me @ericbandrakim there is no man entry for nft. :man_shrugging:


this is what i get.

Schermafdruk_2021-07-15_12-35-37

nft is also a “helper” like ufw. I guess nftables is so new there is very little information available on the web.

Really? I’ve just run “man nft” twice and got “no manual entry for nft” That is very strange. I’m not doubting your evidence, I just wonder what the heck is happening here! Usually I’ve found my man pages to be working just fine. It’s very wierd.

I use ufw. Very easy …

That explains it: ufw vs iptables, I don’t have iptables installed, I use ufw, therefore it probably won’t show in the man pages.

I see, i have it installed. So i can get rid of it now.

edit —> bad plan

Yeah, whichever you prefer and do an -Rsn obviously so you don’t remove any needed dependencies.

ufw is just front-end for iptables. You must have either iptables or something that provides it like iptables-nft installed to use it.

Also, iptables is deprecated at this point so for most people it makes sense to switch to iptables-nft if you still have software that needs an iptables interface.

hummm but you use ufw and did’t have iptables installed. That’s where i gort confussed ;|

Yep, figured that one! :laughing:

It is a dependency:

epository      : community
Name            : ufw
Version         : 0.36-5
Description     : Uncomplicated and easy to use CLI tool for managing a netfilter firewall
Architecture    : any
URL             : https://launchpad.net/ufw
Licenses        : GPL3
Groups          : None
Provides        : None
Depends On      : iptables  python
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 182.36 KiB
Installed Size  : 792.12 KiB
Packager        : Felix Yan <felixonmars@archlinux.org>
Build Date      : Wed 11 Nov 2020 05:03:00 AM CST
Validated By    : MD5 Sum  SHA-256 Sum  Signature
1 Like

Oh Linux, what fun! :laughing:

Both nftables and iptables provide firewall support in the kernel and some userspace utilities to manage them. If you haven’t configured one of them, they aren’t protecting anything.

While you can configure them manually the rules to do so are a bit complicated so it is usually easier to use a fontend like firewalld that does that for you.

1 Like

@dalto
Yes but is there a way to get confirmation ?

The frustrating part is even systemctl reports both iptables & nftables as “inactive” but someone on IRC told me that’s normal

IPTABLES
NFTABLES

More confusing is this >> click here
Cant figure out which one is in use iptables or nftables.