I'm myself not that deep into this, but I can provide an example from Emulatorman as he is working with.

#!/sbin/nft -f
# vim:set ts=4:

# Clear all prior state
flush ruleset

# ----- IPv4/IPv6 -----
table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;
        ct state invalid counter drop \
        comment "early drop of invalid packets"
        ct state {established, related} counter accept \
        comment "accept all connections related to connections made by us"
        iif lo accept \
        comment "accept loopback"
        iif != lo ip daddr 127.0.0.1/8 counter drop \
        comment "drop connections to loopback not coming from loopback"
        iif != lo ip6 daddr ::1/128 counter drop \
        comment "drop connections to loopback not coming from loopback"

        ip saddr 10.1.1.2 accept \
        comment "accept connection from foo's vpn address (sample1)"
        ip saddr 10.2.1.2 accept \
        comment "accept connection from bar's vpn address (sample2)"

        ip protocol icmp icmp type {
            echo-reply,  # type 0
            destination-unreachable,  # type 3
            echo-request,  # type 8
            time-exceeded,  # type 11
            parameter-problem,  # type 12
        } accept \
        comment "Accept ICMP"
        counter comment "count dropped packets"

        ip6 nexthdr icmpv6 icmpv6 type {
            destination-unreachable,  # type 1
            packet-too-big,  # type 2
            time-exceeded,  # type 3
            parameter-problem,  # type 4
            echo-request,  # type 128
            echo-reply,  # type 129
        } accept \
        comment "Accept basic IPv6 functionality"

        ip6 nexthdr icmpv6 icmpv6 type {
            nd-router-solicit,  # type 133
            nd-router-advert,  # type 134
            nd-neighbor-solicit,  # type 135
            nd-neighbor-advert,  # type 136
        } ip6 hoplimit 255 accept \
        comment "Allow IPv6 SLAAC"

        ip6 nexthdr icmpv6 icmpv6 type {
            mld-listener-query,  # type 130
            mld-listener-report,  # type 131
            mld-listener-reduction,  # type 132
            mld2-listener-report,  # type 143
        } ip6 saddr fe80::/10 accept \
        comment "Allow IPv6 multicast listener discovery on link-local"

        ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept \
        comment "Accept DHCPv6 replies from IPv6 link-local addresses"
        counter comment "count dropped packets"
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
        counter comment "count dropped packets"
    }

    # If you're not counting packets, this chain can be omitted.
    chain output {
        type filter hook output priority 0; policy accept;
    }
}

You know, I find it a bit funny because we two indirect go through most packages as you have questions why some are not there and in fact we go through most of them with explanations. No, this is NOT criticism. Not even sarcasm. But I find it nevertheless important to not underestimate the reasonings given. So I'm happy to explain here: The problem is iptables as Hyperbola did the decision to ditch it complete and only orient on nftables.

I did try to evaluate a possible integration, but we ended again only to add another layer on top of nftables (here). See the effort doing this was and is too high with less outcome for Hyperbola as future BSD-system.

Next to look into the packaging-script from Alpine as ufw is ONLY GNU/Linux: https://pkgs.org/download/ufw

So it brings us nothing for HyperbolaBSD. I hope I was able to explain a bit more the reasoning behind. Please also remember our GNU/Linux-libre system is exactly going in the direction build up the base for HyperbolaBSD. So we have it easier with porting. It is not meant to be developed parallell.

Thank you for your answer .
I would like to answer you about the comparison. To give me an example, I need to take it from somewhere, I take the example of Arch-like systems, if it’s convenient for you, I can take an example from git Arch.

I think users who read us understand perfectly well that this is just an example and not a comparison, there is no point in digital jealousy)) (my expression)

I think that they will never compare what is made from scratch. And if they took some distro as a base for their system from one place and then added (changed) something else and called it something else, then users understand this, so they will always compare since this is not a product made from scratch (from the very beginning)
If you paint a potato red, it will not become a tomato)) It will be a red potato!

As for iptables and nftables, do you know that these are the same developers?)) They simply remade iptables from a syntax point of view, nothing special.

I looked at iptables, the dependencies https://gitlab.archlinux.org/archlinux/ … 1eec9bbbd0 are all there in Hyperbola, can I build it? Personally, I find the UFW syntax more convenient and clearer.

If we are talking about HyperbolaBSD, then the pf firewall is not as complex as ufw in terms of syntax, but at the moment I would use ufw.

Hello . Thanks for your answer and clarification.

I am sure that when the Hyperbola project has a larger financial budget, you will be able to create your own system from scratch. You need a good large team of professionals to do this, this is obviously like 2x2)) It is impossible to create complex projects when you have a team of 3 people. If you analyze donations over recent years, you will see that this is very little and the trend is not improving.

Perhaps when you create HyperbolaBSD the situation will improve, the professional community knows that some of the most secure server solutions are OpenBSD systems, if not the most secure in the world.
A certain number of users will switch to you, which will give you opportunities for development (my opinion)

As for assembling iptables, I tried it yesterday but got an error, I wanted to ask you for help with the assembly since you are the best))

So, my steps:

Clone

$ git clone  https://gitlab.archlinux.org/archlinux/packaging/packages/iptables.git

$ cd iptables 

$ makepkg -si 

There was an error with the gpg key, ok

$ gpg --keyserver hkps://keyserver.ubuntu.com  --recv-keys D55D978A8A1420E4

check

$ gpg -k 

Next I needed to download several packages, and then I encountered errors that drove me in circles))

mkdir: cannot create directory 'build' : File exists
==> ERROR: A failure occurred in prapare().
    Aborting

ok

$ rm -rf src/

$ makepkg -si 

***Error: no suitable 'libnftnl' found 
   Please install the 'libnftnl' package
   Or consider  --disable-nftables to skip
   iptables-compat over nftables support.
==> ERROR: A failure occurred in prapare().
    Aborting

libnftnl was installed, I reinstalled it and then everything went in circles again

Maybe I need to install an older version?

Please understand: Complexity <> minimalism. We have no interest in more complexity as we want to reduce that. The financials are common point every project has, which sound a bit more uncommon. So people are either not interested or reject it from the very beginning. So we are "okay" with having a niche for really interested people. The point here is another: People being interested is one thing, another one people understanding also that free, libre software is living from getting hands on and support. Getting a team together builds also upon getting people to get in touch, communicate, test out, document (and stay on documentation) and make feedback.

We had therefore different not so positive experiences in the past as some people promised very much, but later did not hold on for their promises given. May it be:

- Giving a helping hand, perhaps with creating handbooks or whatever else in the project around
- Just testing a bit more
- Support with development (while pretending to have experiences)
- Donate surely money when they said months ago (never reporting back afterwards)
- Ask around who is willing to support further in different fields
- Document in the wiki and stay onwards with the corresponding article (including testing)

.. or even just this: Pretend to work with and for Hyperbola, when they have not even Hyperbola installed or want not to bother with doing so. Yes, all of this was and is experience. And exactly therefore we are a bit tired in those directions. Sure, everyone has a different perspective and may take it more easy or not. In the end: When you give much time, personal engagement and called "heart bleed" into such a project, you have therefore a very strong perspective on having it safe. And the bigger any community, the lesser safe a project gets from experience spoken: There are more people wanting feature X and addition Y, which consults into more problems possible. And we had also people thinking to get into Hyperbola and make it their own playfield and toy, just for their current fun - with really not friendly discussions followed after. So we tried best to keep Hyperbola as project safe, working and going on. But it is also an illusion to compare Hyperbola with other projects with just a complete different goal: Hyperbola is and will be a little but stable and long-term meant operating-system as BSD-descendant, most near to UNIX as possible. It gets towards clients and servers, giving users technical emancipation and freedom for their data with demanding surely their own learning. What Hyperbola is NOT: A BSD-base with more and more packages added, a resulting more complex system with another empty promise of being "self-aware". Nope, that's not the point!

And we had many talks with people stating that Hyperbola "needs to be more bigger", "needs to be all around", "needs to support all common architectures for CPUs" and so much more. All of this is only one thing: A dreamcastle-building as in the end Hyperbola won't be different to any other system out there and forgetting about its roots and ideas. So yes: A niche, but with the issue that people need to understand that phrases like "sharing is caring" are more than phrases and a helping hand for building is also valuable, same as giving some money every month, not the big amount just to support. The other way is to be seen elsewhere: Projects giving big news like yearly congress and more, while looking close enough those "events" are just more sponsored and the projects are driven into full dependency of other groups (nothing in special, can be a wide variety). And some point? Those projects get the call to "implement" something or the donation and sponsorship is gone, while the community thinks nevertheless all is "independent done". That's the dreamcastle, that's the illusion. And "getting bigger" is not the answer for this.

I compiled iptables and tried to launch ufw, but I got this error that I need to fix

$ doas ufw enable 

ERROR: problem running ufw-init
modprobe: FATAL: Module ip_tables not found in directory /lib/modules/5.10.127-gnu1-1-lts
iptables v1.8.10 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: FATAL: Module ip_tables not found in directory /lib/modules/5.10.127-gnu1-1-lts
iptables v1.8.10 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: FATAL: Module ip_tables not found in directory /lib/modules/5.10.127-gnu1-1-lts
iptables v1.8.10 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I also can't use the ip command

You need to analyze the differences of Hyperbola as system, jim. Here is the dependency-tree for our iproute2:

    libelf
    nftables
    linux-atm (optional) - ATM support
    linux-atm (make)
    quilt (make)

And as you have noted to have taken the source-data from Arch GNU/Linux, here is the iproute2 from Arch GNU/Linux:

    glibc
    iptables
    libbpf
    libcap
    libelf
    db5.3 (optional) - userspace arp daemon
    linux-atm (optional) - ATM support
    python (optional) - for routel
    linux-atm (make)

So you see that it is not enough to remove nftables. You need to modify several more packages and rebuild them on your purpose. You can do that, if you like. But please: Do not await any further support in this, only notes like I do now. Again to underline as in the long post above: Yes, you are able to do and modify. But no, we are not supporting every single modification here. If we are doing that: Sure, then we need a team bigger than everything other. You need to analyze the dependencies and conclude what you need. If you modify your system that way and readd packages being excluded out of reasoning before when the system was rebuild from scratch, you will encounter issues and problems on that way.

Here are the build-sources for iproute2: https://git.hyperbola.info:50100/packag … e/iproute2
You can modify that package also and add iptables if you want to do that. It is than surely your own iproute2, jim.

No problem in those cases for sure.

The openrc, dinit and so on packages are having the corresponding service-declarations. You need nevertheless the original package. If you want I explain what those declarations are.

Tell me if you succeed in making ufw work without iptables and/or other bloated crap.

That would interest me indeed.

Hello zapper . I'm trying, thanks for helping me Throgh.

Throgh thanks, I'll try it now

Sorry if I was not clear: You should unpack that and find all needed sources within.
All packages here have their sources rooted in that folder. So you can access them any time.

But to make the difference:

pkg -> package (binary)
src -> sources (build-files, tarballs and so on)