On 06/08/2025 14:21, Richard Kettlewell wrote:

nftables is the current implementation, iptables is now just a
translation layer from the historical iptables interface. You can use whichever interface you prefer.

Thank you.

--
"And if the blind lead the blind, both shall fall into the ditch".

Gospel of St. Mathew 15:14

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 07/08/2025 01:06, Lawrence D'Oliveiro wrote:

On Wed, 6 Aug 2025 11:38:12 +0100, Mike Scott wrote:

pf's tables - a list of ip addresses you treat within the rules as a
group, and change on the fly as desired. (pfctl -t inboundblock -T
add 1.2.3.0/24; pfctl -t inboundblock -T show). If something similar
is available, I certainly couldn't find it.

I think they’re called “sets” <https://manpages.debian.org/nftables(8)#SETS>. You can have named ones and anonymous ones.

Ok. It has sets. But (a) unless you know what they're called, you're not
going to find them; and (b) that man page is singularly opaque and if
you already know the answer it's a handy reminder of syntax. (The redhat
BWOE docs are pretty unhelpful too AFAICS).

Where's the (any) guide that shows how everything fits together, with,
horror of horrors, a useful example setup intended for someone with zero knowledge of linux firewall config?

Note also the subsequent sections on “maps” and “elements”.

For someone trying to get to grips with this, how does it help to
have a plethora of alternatives, a mound of interfaces, and - let's
face it - an awful lot of poor documentation around.

That’s why you have the more-user-friendly front ends like those
described in the article I originally referenced.

And said front-ends studiously do the easy stuff AFAICS.


--
Mike Scott
Harlow, England

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 11/08/2025 23:02, Lawrence D'Oliveiro wrote:

I don’t know. I’m just able to read documentation. I thought that was a skill that was so commonplace among folks who work with computers for a living that you could take it for granted, but apparently not.

The horror is manuals written by the code-writer. They describe in
intimate detail each and every function; but not how it all hooks up. In
this case, I'd not even seen the nft man page, because I'd been
searching for the wrong terms, hadn't got there because I'd got drowned
in a morass of ipfilter and similar stuff, now apparently out-of-date;
and gave it up as a bad job.

What's wrong with a couple of clear examples, plus the detail to expand
on them?

--
Mike Scott
Harlow, England

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 12/08/2025 08:39, Mike Scott wrote:

On 11/08/2025 23:02, Lawrence D'Oliveiro wrote:

I don’t know. I’m just able to read documentation. I thought that was a >> skill that was so commonplace among folks who work with computers for a
living that you could take it for granted, but apparently not.

The horror is manuals written by the code-writer. They describe in
intimate detail each and every function; but not how it all hooks up. In
this case, I'd not even seen the nft man page, because I'd been
searching for the wrong terms, hadn't got there because I'd got drowned
in a morass of ipfilter and similar stuff, now apparently out-of-date;
and gave it up as a bad job.

What's wrong with a couple of clear examples, plus the detail to expand
on them?

I think lawrence is as usual talking BS. Or he is that 'one geek in the
office' who reads manuals with his cup of night time Ovaltine. And so
creates an internal mental index of what stuff does what.

I am absolutely with you that one one needs is 'here is an example of
how to do X'

Life is too short to read the whole manual cover to cover.


--
Labour - a bunch of rich people convincing poor people to vote for rich
people by telling poor people that "other" rich people are the reason
they are poor.

Peter Thompson

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-08-12 09:39, Mike Scott wrote:

On 11/08/2025 23:02, Lawrence D'Oliveiro wrote:

I don’t know. I’m just able to read documentation. I thought that was a >> skill that was so commonplace among folks who work with computers for a
living that you could take it for granted, but apparently not.

The horror is manuals written by the code-writer. They describe in
intimate detail each and every function; but not how it all hooks up. In
this case, I'd not even seen the nft man page, because I'd been
searching for the wrong terms, hadn't got there because I'd got drowned
in a morass of ipfilter and similar stuff, now apparently out-of-date;
and gave it up as a bad job.

What's wrong with a couple of clear examples, plus the detail to expand
on them?

man pages are often terrible, with some exceptions. A list of options
and command is not a proper manual. At least a few examples are needed. Instructions on how to achieve goals.

--
Cheers,
Carlos E.R.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 13/08/2025 00:07, Lawrence D'Oliveiro wrote:

I have the feeling you didn’t even bother doing a web search, because ...

Well, you'd better distrust your feelings then. Web searches are fine if
you know relevant keywords.

Meanwhile, welcome to the block list. Possible the first ever.


--
Mike Scott
Harlow, England

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-08-07 01:56, Lawrence D'Oliveiro wrote:

On Wed, 6 Aug 2025 12:46:30 +0200, Carlos E.R. wrote:

I don't trust my router, provided by the ISP.

I bought my own. I could even run my own routing stack on a Linux box.

The configuration needed by the ISP on the router is not documented, you
have to reverse engineer the existing documentation in one of their
routers. And it is far from simple.

The router handles internet, obviously, but also phone and TV.

And then, when the router (or anything) stops working, you are on your own.

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-08-12 09:39, Mike Scott wrote:

On 11/08/2025 23:02, Lawrence D'Oliveiro wrote:

I don’t know. I’m just able to read documentation. I thought that was a >> skill that was so commonplace among folks who work with computers for a
living that you could take it for granted, but apparently not.

The horror is manuals written by the code-writer. They describe in
intimate detail each and every function; but not how it all hooks up. In
this case, I'd not even seen the nft man page, because I'd been
searching for the wrong terms, hadn't got there because I'd got drowned
in a morass of ipfilter and similar stuff, now apparently out-of-date;
and gave it up as a bad job.

What's wrong with a couple of clear examples, plus the detail to expand
on them?

+1

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 19/08/2025 11:35, Carlos E.R. wrote:

On 2025-08-12 09:39, Mike Scott wrote:

On 11/08/2025 23:02, Lawrence D'Oliveiro wrote:

I don’t know. I’m just able to read documentation. I thought that was a >>> skill that was so commonplace among folks who work with computers for a
living that you could take it for granted, but apparently not.

The horror is manuals written by the code-writer. They describe in
intimate detail each and every function; but not how it all hooks up.
In this case, I'd not even seen the nft man page, because I'd been
searching for the wrong terms, hadn't got there because I'd got
drowned in a morass of ipfilter and similar stuff, now apparently out-
of-date; and gave it up as a bad job.

What's wrong with a couple of clear examples, plus the detail to
expand on them?

+1

Having been pointed at nftables as the right direction, I had a word
with chatgpt asking for examples for my use case. I treat the answers
with suspicion, but they seem clear and reasonable, and I'll take a good
look when I've time.

(I'd given up on chatgpt ages ago, when it made Noddy mistakes on
trivial code examples. Looks like things have improved since then.)

Thanks all for helpful answers.

--
Mike Scott
Harlow, England

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 20/08/2025 09:48, Nuno Silva wrote:

On 2025-08-20, Lawrence D’Oliveiro wrote:

On Tue, 19 Aug 2025 12:41:46 +0200, Carlos E.R. wrote:

On 2025-08-07 01:56, Lawrence D'Oliveiro wrote:

On Wed, 6 Aug 2025 12:46:30 +0200, Carlos E.R. wrote:

I don't trust my router, provided by the ISP.

I bought my own. I could even run my own routing stack on a Linux box.

The configuration needed by the ISP on the router is not documented ...

Here in NZ it’s all standard protocols. I bought the router from a local >> retailer, not from the ISP. Setup was straightforward -- the router calls
the setup option I am using “Dynamic IP”, but I think it’s just DHCP.

In this case, I think we're talking about a box with router and a bunch
of other stuff, to deal with incoming GPON (can this part still be
called modem, or the workings of fiber disqualify that?)

I call it a modem, because it modulates and demodulates from IP over
Ethernet to GPON over fibre, but I get called out because BT call it
NTE. Network termination equipment.

Which it only is as far as their legal responsibility goes. NTEs are the ethernet chips in my devices,

te UK currently and with coax its common to have a separate 'modem'
and 'router'

Wankers

and at least
outgoing coax for TV, RJ11 for telephony and 8p8c for Ethernet.

I've seen these called "ONT", but it seems (from another thread here)
that this may not be entirely appropriate either?

Optical Network Terminator. That's better than NTE at least

Oh well, its all grist to the ArtStudent™ mill where names and ideas are
far more important that the reality of what they refer to.

Routers were never juts routers either, they were routers plus switches
plus modems plus wireless bridges...


--
When plunder becomes a way of life for a group of men in a society, over
the course of time they create for themselves a legal system that
authorizes it and a moral code that glorifies it.

Frédéric Bastiat

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-08-20 03:01, Lawrence D’Oliveiro wrote:

On Tue, 19 Aug 2025 12:35:53 +0200, Carlos E.R. wrote:

What's wrong with a couple of clear examples, plus the detail to expand
on them?

+1

There’s a whole website devoted to that, as I mentioned elsewhere.

Not good enough, it should be inside the manuals. Pointing to an
external website (if it is mentioned on the manual) is akin to "buy our excellent book".

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-08-21 00:36, Lawrence D’Oliveiro wrote:

On Wed, 20 Aug 2025 12:52:56 +0200, Carlos E.R. wrote:

On 2025-08-20 03:01, Lawrence D’Oliveiro wrote:

On Tue, 19 Aug 2025 12:35:53 +0200, Carlos E.R. wrote:

What's wrong with a couple of clear examples, plus the detail to
expand on them?

+1

There’s a whole website devoted to that, as I mentioned elsewhere.

Not good enough, it should be inside the manuals.

The man page has examples, too. Naturally a tutorial/wiki site has more.

Remember what reference documentation is for: it’s to act, no more and no less, as the definitive reference to all the details of functionality, not
to offer hand-holding tutorial recipes for every conceivable thing you
might want to do with that functionality.

I do not want reference documentation.

I primarily want documentation that allows me to start using a new
program, fast, and to achieve my goals.

Once I have that, I want the reference documentation.

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 21/08/2025 10:44, Carlos E.R. wrote:

I do not want reference documentation.

I primarily want documentation that allows me to start using a new
program, fast, and to achieve my goals.

Once I have that, I want the reference documentation.

+1001


--
“The ultimate result of shielding men from the effects of folly is to
fill the world with fools.”

Herbert Spencer

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-08-21 12:34, The Natural Philosopher wrote:

On 21/08/2025 10:44, Carlos E.R. wrote:

I do not want reference documentation.

I primarily want documentation that allows me to start using a new
program, fast, and to achieve my goals.

Once I have that, I want the reference documentation.

+1001

Yesterday, I wanted to share a video on WhatsApp. It was taken by a
wildlife camera, and WhatsApp refused, said the video was not compatible.

First I tried avidemux, but still WhasApp refused.

I'm familiar with ffmpeg, I know it can do it. But it has a huge manual
(which I have read), and they change the CLI interface often enough so
that recipes I have in my notes no longer work. Finding the concoction
will need a lot of time. So I can google, I can ask somewhere and wait,
or I can ask ChatGpt. I did the later.

I got a reply that missed the output file (is that an hallucination or a "human" mistake?):

ffmpeg -i IMAG0009.avi -vf "scale=640:-2" -c:v libx264 -profile:v \
baseline -level 3.0 -preset fast -c:a aac -b:a 128k \
-movflags +faststart

To that I added "bird.avi" as output file, but WhatsApp rejected it. So
I told ChatGpt all that. It replied giving me the missing data:

ffmpeg -i IMAG0009.avi -vf "scale=640:-2" -c:v libx264 -profile:v \
baseline -level 3.0 -preset fast -c:a aac -b:a 128k \
-movflags +faststart bird_whatsapp.mp4

and that worked. Having that command line, I modified it easily for more resolution (scale=1024:-2). I was already familiar with all the options,
I just needed to find which would produce the wanted result, and not
spend a day on it.


But if I want to find in the manual what "-b" stands for, I fail. Ask
chatgpt, instant reply, it is bitrate. Oh, yes, I remember now.

:-)


Oh, searching the man for "movflags" or "faststart" fails. So ask the
AI. They are in the man page for the MP3 muxer, it says. Oh, right, I
forgot that.


So, even a reference manual is hard to use when you want to find a
particular reference, basically using "grep".


--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-08-21 15:27, Nuno Silva wrote:

On 2025-08-21, Carlos E.R. wrote:

On 2025-08-21 12:34, The Natural Philosopher wrote:

On 21/08/2025 10:44, Carlos E.R. wrote:

I do not want reference documentation.

I primarily want documentation that allows me to start using a new
program, fast, and to achieve my goals.

Once I have that, I want the reference documentation.

+1001

[...]

To that I added "bird.avi" as output file, but WhatsApp rejected
it. So I told ChatGpt all that. It replied giving me the missing data:

ffmpeg -i IMAG0009.avi -vf "scale=640:-2" -c:v libx264 -profile:v \
baseline -level 3.0 -preset fast -c:a aac -b:a 128k \
-movflags +faststart bird_whatsapp.mp4

and that worked. Having that command line, I modified it easily for
more resolution (scale=1024:-2). I was already familiar with all the
options, I just needed to find which would produce the wanted result,
and not spend a day on it.


But if I want to find in the manual what "-b" stands for, I fail. Ask
chatgpt, instant reply, it is bitrate. Oh, yes, I remember now.

:-)


Oh, searching the man for "movflags" or "faststart" fails. So ask the
AI. They are in the man page for the MP3 muxer, it says. Oh, right, I
forgot that.


So, even a reference manual is hard to use when you want to find a
particular reference, basically using "grep".

(ffmpeg's online manual is spread over more than one page, isn't it?)

Yes.

I don't know right now if there is a command that would search all
manuals and find a word.

cer@Telcontar:~> apropos movflags
movflags: nothing appropriate.
cer@Telcontar:~>


--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 19/08/2025 12:18, Mike Scott wrote:

Having been pointed at nftables as the right direction, I had a word
with chatgpt asking for examples for my use case. I treat the answers
with suspicion, but they seem clear and reasonable, and I'll take a good
look when I've time.

(I'd given up on chatgpt ages ago, when it made Noddy mistakes on
trivial code examples. Looks like things have improved since then.)

Thanks all for helpful answers.

Sorry for following up my own message, but.....

I tried the chatgpt-generated nft config file yesterday. Interesting.

It had a grossw syntactical error in it. I flagged this up to chatgpt,
which apologised (!) and gave a slightly modified version. Same problem.
I flagged it up again: it went away for almost 3 minutes, chuntering
about checking things and "thinking". It came back with a decidedly
modified version that had correct syntax.

I told it to explain its error, and it said it had got muddled between
nft and sh script syntax. Hmm.

Anyway, the upshot is that I seem to have been right about nft's
limitations compared to pf. It's concept of "set" (analogous to pf'
"table" looks to have a huge issue.

pf allows, for example
pfctl -t inboundblock -T replace -f /etc/firewall/inboundblock
which is an atomic operation. AFAICT, with nft you have to operate element-by-element, and cannot load a set from a file of wanted
elements, nor clear nor replace the contents as a group.

Is this correct?



--
Mike Scott
Harlow, England

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 28/08/2025 01:50, Lawrence D’Oliveiro wrote:

On Wed, 27 Aug 2025 06:56:46 +0100, Mike Scott wrote:

pf allows, for example
pfctl -t inboundblock -T replace -f /etc/firewall/inboundblock
which is an atomic operation.

The docs say

nft -f «file»

is an atomic operation. You might have known that if you’d read them.

man nft |grep atomic

troff:<standard input>:1317: warning [p 10, 4.7i, div '3tbd9,1', 0.3i]:
cannot break line
troff:<standard input>:6498: warning [p 27, 0.3i, div '3tbd10,0', 0.2i]:
cannot break line
<standard input>:6352: warning: table wider than line length minus
indentation
troff:<standard input>:8857: warning [p 32, 0.3i, div '3tbd1,1', 0.3i]:
cannot break line


To be fair, the online wiki does give the answer. Which raises the
issue, again, of documentation standards. When important matters are
absent from at least some key docs, then what? There's more to life than grubbing around on the net hoping to hit the right combination of keywords.

Again, I asked chatgpt about this (hindsight is so good), and it came up
with helpful information.

--
Mike Scott
Harlow, England

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 29/08/2025 16:10, John Ames wrote:

On Fri, 29 Aug 2025 00:56:54 -0000 (UTC)
Lawrence D’Oliveiro <ldo@nz.invalid> wrote:

To be fair, the online wiki does give the answer. Which raises the
issue, again, of documentation standards. When important matters are
absent from at least some key docs, then what?

Weren’t you one of those complaining that bare reference material
wasn’t enough? That you wanted tutorial examples and how-tos and all
that? Then when I mention that it all that is available, you now find
a new reason to complain?

Again, when important information for *core networking tools* is only
found on the Web, it hardly takes a great sage to discern the problem.

The problem is that it is /not/ all available. I'm quite stumped about
one particular issue for which there seem no references at all that I
can find: and believe me, I have looked.

Ironically, chatgpt has been a help. It makes so many errors that
sorting them out has been quite educational.

Oh - the problem in hand. No doubt it's easy when you know: single
interface, allow all lan traffic, block wan inbound to port 22, redirect
wan inbound on port 12345 to 22 and pass. Block wan inbound otherwise.
If anyone has a config snippet to do this, I'd be very grateful.


--
Mike Scott
Harlow, England

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 30/08/2025 08:39, Nuno Silva wrote:

On 2025-08-30, Lawrence D’Oliveiro wrote:

On Fri, 29 Aug 2025 08:10:08 -0700, John Ames wrote:

On Fri, 29 Aug 2025 00:56:54 -0000 (UTC)
Lawrence D’Oliveiro <ldo@nz.invalid> wrote:

Weren’t you one of those complaining that bare reference material
wasn’t enough? That you wanted tutorial examples and how-tos and
all that? Then when I mention that it all that is available, you
now find a new reason to complain?

Again, when important information for *core networking tools* is
only found on the Web, it hardly takes a great sage to discern the
problem.

The problem is, you don’t understand the Web?

Because *everything* is on the Web these days. If you can’t figure out
basic Web searching, then perhaps you should stay away from computers
altogether?

If there's no network connectivity, your web search skills won't do
much?

"If your internet connection is down, you can report in on our web page
here→ and get advice on what to do..."

I quite like Linux Mint in that you get the whole basic distro. I am nor
sure if they have a 'lite' edition that just boots enough to get
internet connectivity.

--
“People believe certain stories because everyone important tells them,
and people tell those stories because everyone important believes them.
Indeed, when a conventional wisdom is at its fullest strength, one’s agreement with that conventional wisdom becomes almost a litmus test of
one’s suitability to be taken seriously.”

Paul Krugman

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 29.8.2025 21.16, Mike Scott wrote:

On 29/08/2025 16:10, John Ames wrote:

On Fri, 29 Aug 2025 00:56:54 -0000 (UTC)
Lawrence D’Oliveiro <ldo@nz.invalid> wrote:

To be fair, the online wiki does give the answer. Which raises the
issue, again, of documentation standards. When important matters are
absent from at least some key docs, then what?

Weren’t you one of those complaining that bare reference material
wasn’t enough? That you wanted tutorial examples and how-tos and all
that? Then when I mention that it all that is available, you now find
a new reason to complain?

Again, when important information for *core networking tools* is only
found on the Web, it hardly takes a great sage to discern the problem.

The problem is that it is /not/ all available. I'm quite stumped about
one particular issue for which there seem no references at all that I
can find: and believe me, I have looked.

Ironically, chatgpt has been a help. It makes so many errors that
sorting them out has been quite educational.

Oh - the problem in hand. No doubt it's easy when you know: single
interface, allow all lan traffic, block wan inbound to port 22, redirect
wan inbound on port 12345 to 22 and pass. Block wan inbound otherwise.
If anyone has a config snippet to do this, I'd be very grateful.

Mike,

The tool you need is called nftables, with a command line
interface program called nft.

Google for nftables documentation, read and understand it, the
response is there with examples. It is difficult to provide a
good snippet without your networking details.

You could also configure the ssh daemon with a secondary port
of 12345, just pass it, to avoid the port translation step.

--

-TV

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 30/08/2025 14:59, Tauno Voipio wrote:

On 29.8.2025 21.16, Mike Scott wrote:

On 29/08/2025 16:10, John Ames wrote:

On Fri, 29 Aug 2025 00:56:54 -0000 (UTC)
Lawrence D’Oliveiro <ldo@nz.invalid> wrote:

To be fair, the online wiki does give the answer. Which raises the
issue, again, of documentation standards. When important matters are >>>>> absent from at least some key docs, then what?

Weren’t you one of those complaining that bare reference material
wasn’t enough? That you wanted tutorial examples and how-tos and all >>>> that? Then when I mention that it all that is available, you now find
a new reason to complain?

Again, when important information for *core networking tools* is only
found on the Web, it hardly takes a great sage to discern the problem.

The problem is that it is /not/ all available. I'm quite stumped about
one particular issue for which there seem no references at all that I
can find: and believe me, I have looked.

Ironically, chatgpt has been a help. It makes so many errors that
sorting them out has been quite educational.

Oh - the problem in hand. No doubt it's easy when you know: single
interface, allow all lan traffic, block wan inbound to port 22,
redirect wan inbound on port 12345 to 22 and pass. Block wan inbound
otherwise. If anyone has a config snippet to do this, I'd be very
grateful.

Mike,

The tool you need is called nftables, with a command line
interface program called nft.

Google for nftables documentation, read and understand it, the
response is there with examples. It is difficult to provide a
good snippet without your networking details.

You could also configure the ssh daemon with a secondary port
of 12345, just pass it, to avoid the port translation step.

We're going in circles here.... there's an issue with lack of decent
docs (and examples) for nft - it seems that port blocking occurs after
the redirection, with unhappy consequences, and I find no usable
information suggesting any other possibility.

I have running on freebsd, and am trying to move to linux, a server that ignores port 22 from the net at large, but accepts (similar to) 12345,
just to provide an extra layer of obfuscation to wannabe attackers.

It's a 2-line doddle on freebsd's pf firewall; I can't for the life of
me work out the nftables equivalent, and begin to wonder if indeed it
can be done.

I suppose opening multiple ssh listener ports is another solution
(thanks), but the original problem should - surely - be solvable: it
also pops up for other services but which won't necessarily have the workaround.



--
Mike Scott
Harlow, England

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 30.8.2025 20.45, Mike Scott wrote:

On 30/08/2025 14:59, Tauno Voipio wrote:

On 29.8.2025 21.16, Mike Scott wrote:

On 29/08/2025 16:10, John Ames wrote:

On Fri, 29 Aug 2025 00:56:54 -0000 (UTC)
Lawrence D’Oliveiro <ldo@nz.invalid> wrote:

To be fair, the online wiki does give the answer. Which raises the >>>>>> issue, again, of documentation standards. When important matters are >>>>>> absent from at least some key docs, then what?

Weren’t you one of those complaining that bare reference material
wasn’t enough? That you wanted tutorial examples and how-tos and all >>>>> that? Then when I mention that it all that is available, you now find >>>>> a new reason to complain?

Again, when important information for *core networking tools* is only
found on the Web, it hardly takes a great sage to discern the problem. >>>>

The problem is that it is /not/ all available. I'm quite stumped
about one particular issue for which there seem no references at all
that I can find: and believe me, I have looked.

Ironically, chatgpt has been a help. It makes so many errors that
sorting them out has been quite educational.

Oh - the problem in hand. No doubt it's easy when you know: single
interface, allow all lan traffic, block wan inbound to port 22,
redirect wan inbound on port 12345 to 22 and pass. Block wan inbound
otherwise. If anyone has a config snippet to do this, I'd be very
grateful.

Mike,

The tool you need is called nftables, with a command line
interface program called nft.

Google for nftables documentation, read and understand it, the
response is there with examples. It is difficult to provide a
good snippet without your networking details.

You could also configure the ssh daemon with a secondary port
of 12345, just pass it, to avoid the port translation step.

We're going in circles here.... there's an issue with lack of decent
docs (and examples) for nft - it seems that port blocking occurs after
the redirection, with unhappy consequences, and I find no usable
information suggesting any other possibility.

I have running on freebsd, and am trying to move to linux, a server that ignores port 22 from the net at large, but accepts (similar to) 12345,
just to provide an extra layer of obfuscation to wannabe attackers.

It's a 2-line doddle on freebsd's pf firewall; I can't for the life of
me work out the nftables equivalent, and begin to wonder if indeed it
can be done.

I suppose opening multiple ssh listener ports is another solution
(thanks), but the original problem should - surely - be solvable: it
also pops up for other services but which won't necessarily have the workaround.

I'm writing this just on a network, where the Linux router is having
a ruleset resembling what you ask for.

Please look at <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>

The nftables pages contain the information you need.

You need to block the inbound TCP port 22 coming from the external
interface. The correct place is in the ip nat table, PREROUTING chain.

--

-TV

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 31/08/2025 19:24, Tauno Voipio wrote:

On 30.8.2025 20.45, Mike Scott wrote:

On 30/08/2025 14:59, Tauno Voipio wrote:

On 29.8.2025 21.16, Mike Scott wrote:

On 29/08/2025 16:10, John Ames wrote:

On Fri, 29 Aug 2025 00:56:54 -0000 (UTC)
Lawrence D’Oliveiro <ldo@nz.invalid> wrote:

To be fair, the online wiki does give the answer. Which raises the >>>>>>> issue, again, of documentation standards. When important matters are >>>>>>> absent from at least some key docs, then what?

Weren’t you one of those complaining that bare reference material >>>>>> wasn’t enough? That you wanted tutorial examples and how-tos and all >>>>>> that? Then when I mention that it all that is available, you now find >>>>>> a new reason to complain?

Again, when important information for *core networking tools* is only >>>>> found on the Web, it hardly takes a great sage to discern the problem. >>>>>

The problem is that it is /not/ all available. I'm quite stumped
about one particular issue for which there seem no references at all
that I can find: and believe me, I have looked.

Ironically, chatgpt has been a help. It makes so many errors that
sorting them out has been quite educational.

Oh - the problem in hand. No doubt it's easy when you know: single
interface, allow all lan traffic, block wan inbound to port 22,
redirect wan inbound on port 12345 to 22 and pass. Block wan inbound
otherwise. If anyone has a config snippet to do this, I'd be very
grateful.

Mike,

The tool you need is called nftables, with a command line
interface program called nft.

Google for nftables documentation, read and understand it, the
response is there with examples. It is difficult to provide a
good snippet without your networking details.

You could also configure the ssh daemon with a secondary port
of 12345, just pass it, to avoid the port translation step.

We're going in circles here.... there's an issue with lack of decent
docs (and examples) for nft - it seems that port blocking occurs after
the redirection, with unhappy consequences, and I find no usable
information suggesting any other possibility.

I have running on freebsd, and am trying to move to linux, a server
that ignores port 22 from the net at large, but accepts (similar to)
12345, just to provide an extra layer of obfuscation to wannabe
attackers.

It's a 2-line doddle on freebsd's pf firewall; I can't for the life of
me work out the nftables equivalent, and begin to wonder if indeed it
can be done.

I suppose opening multiple ssh listener ports is another solution
(thanks), but the original problem should - surely - be solvable: it
also pops up for other services but which won't necessarily have the
workaround.

I'm writing this just on a network, where the Linux router is having
a ruleset resembling what you ask for.

Please look at <https://wiki.nftables.org/wiki-nftables/index.php/ Netfilter_hooks>

The nftables pages contain the information you need.

You need to block the inbound TCP port 22 coming from the external
interface. The correct place is in the ip nat table, PREROUTING chain.

Thank you for the reply. I can't say that the page you offer is
particularly enlightening.

However, after grubbing around yet more and with trial and error I have
a way of doing it:

table inet filter {

chain input {
......
# Reject direct SSH (port 22) from WAN
tcp dport 21022 drop
tcp dport 22 accept
...
}
}

table inet nat {
chain prerouting {
type nat hook prerouting priority -100;

# DNAT: Redirect WAN port 12345 to local port 22, WAN port 22
to graveyard
tcp dport 12345 ip saddr != 192.168.0.0/24 dnat ip to :22
tcp dport 22 ip saddr != 192.168.0.0/24 dnat ip to :21022
}
}


The solution involves the seemingly undocumented use of "!=" in this
context. (It seems to mean "is contained in" but IMBW. If anyone knows
where this is described, I'd be grateful. Or if it's wrong!)




--
Mike Scott
Harlow, England

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)