[gnuser]

As a greybeard GNUlinux sysadmin: nftables raw ripping out iptables (newer gui/tui firewall interfaces support nftables) rip out NetworkManager, and use systemd-resolved to manage DNS. (On non-systemd systems like Devuan then this changes.) Use systemd units for powerful program and service control, including systemd-nspawn for containerization.

[yjftsjthsd-h]

The fact that you have to rip out that much software to make it reasonable is a fantastic argument for the BSDs.

[steve_rambo]

iptables has been with us for more than 20 years and is only now being replaced (pretty slowly I might add). The old rules are still supported through iptables-nft, you can just import them and forget nft exists.

Distributions I prefer have never used NetworkManager and haven't changed network configuration in a long time. RHEL and its rebuilds have used NM for what feels like an eternity. Ubuntu is the odd one out here with its constant churn, afaik.

Same with firewall wrappers like ufw and firewalld. Either your distribution uses one and you just use whatever has been chosen for you, or it doesn't and you go with nftables (or iptables-nft if you prefer).

This is all only really a problem if your organization uses a bunch of distributions instead of standardizing on one, but then you probably have a lot more other serious problems than learning how to configure your firewall...

As a counterpoint, I evaluated FreeBSD for a project about a year ago and was really put off by its primitive service management (compared to systemd which I know pretty well and use its features extensively, they really do help in your daily work), and the three firewalls which all seem to be approximately equally supported and you never really know where to put your time. (Unfortunately, I had to pass the OS for other reasons which have no relation to its technical merit.)

[doublepg23]

? FreeBSD ships with three different firewalls in base.

[0x457]

Yes, however, each has a clear set of tools, and it's clear which one are you using. There are no shims to use IPFW tooling with PF and vice versa, while on linux they are all mixed.

[lnxg33k1]

Sorry, for such inconvenience, we will stop writing software we want so that we won't risk filling BSDers brains

I really don't get these criticisms, you have choice, having choices doesn't make a system bad, makes you have to make your choices, which can also be going towards systems where stuff is standard

[nmz]

See paradox of choice.

[sangnoir]

Not having any choice isn't great either. See Soviet grocery shops.

[nmz]

Choice should only be offered after you have a stable foundation/base. Suppose you have a store that sells frozen food only, an incredible amount of choices, but no base ingredients like flour, grains and meat.

Software is utilitarian in nature, the goal is the task, but, how do you accomplish a task with an infinite amount of tools? and not only that, but how can you be sure that the tool is secure and stable?

[lnxg33k1]

In the context, you accomplish task with the defaulty installed iptables

[arminiusreturns]

What is the BSD idempotent cattle deployment pipeline? It's all just configs selecting packages in the first place is it not?

[DEADMINCE]

Or just to avoid a systemd distro.

[gcbirzan]

Or, and hear me out... Don't install it?

[Enginerrrd]

I've had nothing but issues with systemd-resolved.

Networkmanager seems to be what things are standardizing on these days. Which, while for some reason I've always avoided networkmanager and used various combinations as alternatives, I'm all for having one most common standard networking utility for Linux.

[hedora]

Same here. However, from what I've seen, touching any systemd component causes cascading issues.

I usually settle on networkmanager, since there's not a great alternative for dealing with wifi. However, it often delegates to a giant broken pile of fail.

Things can be much simpler on machines that connect via ethernet (including VMs).

[lnxg33k1]

You might want to have a look at IWD, but read the docs to see how to configure it to work nicely with networkmanager or systemd-networkd

[epcoa]

NetworkManager and systemd-resolved are not really interchangeable. The latter is a local caching multiprotocol name resolver and NetworkManager supports its use for name resolution.

[leephillips]

systemd-nspawn is like a secret weapon. Very few resources about containers mention it. I use it all over the place.