If I'm to use the on-host Linux firewall facilities ever again, they'll have to at least consider implementing security zones, like what I have on the Juniper SRX
Not even products based on iptables (or whatever is being used this week) successfully hide the complexity, especially not when any NAT is involved. (looking at you, EdgeOS GUI...)
In general, firewall implementation is being made more difficult than it needs to be.
@yakkoj Have you ever considered using #Netplan?
#ItJust works and also does all the nice stuff, like #VLAN's and #Bonding...
Personally, I prefer putting #firewalling into the #Networking segment and put a #pfSense, #tnsr or #OPNsense in between it and the Interwebz.
But Netplan allows you to go precise and i.e. specify that no incoming connections are permitted on the Storage-LAN used for iSCSI traffic at MTU 9k and other stuff...
yakkoj 🦊
Kevin Karhan 