ferm icon indicating copy to clipboard operation
ferm copied to clipboard

Published 20 hours ago verified publisher icon MaxKellermann

Is Ferm abandoned?

Open zilchms opened this issue 8 months ago • 2 comments

Hey there, it seems like this project has not received any maintenance or attention in the last 3 years. The only documentation site I found is http://ferm.foo-projects.org/ and has not certificate/seems abandoned as well. There also have been no package releases for debian 12 for example.

So my question would be: Is ferm officially retired/abandoned?

The reason why I am asking is: Voxpupuli currently has a module for managing ferm and ferm-rules (https://github.com/voxpupuli/puppet-ferm), but we cant maintain/update the module for newer OSes. Should ferm be retired, we would start moving forward with archiving our corresponding puppet module as well.

zilchms avatar Mar 15 '25 08:03 zilchms

I didn't have any time to maintain ferm, and I'd be happy to hand over maintainership to an interested volunteer. Though I think ferm is somewhat obsolete with the advent of nftables and the deprecation of iptables. nftables comes with a similar syntax, though it is by far not as powerful and expressive as ferm. That's unfortunate, but I think these missing features would better be added to nftables instead of wrapping something ferm-like on top of nftables. iptables was awful enough that ferm was needed. For people who stick with iptables and do not want to migrate to nftables, ferm is still fine.

MaxKellermann avatar Mar 21 '25 07:03 MaxKellermann

nftables as a framework is fine. nft does not look to me as it is finished. I tried to talk to the nft developers a couple of years ago and there was zero indication about them willing to move nft in the direction of ferm's comfort. What is especially missing for me is ferm's ability of arbitrarily mixing IPv4 and IPv6 with the processor doing the right thing, generating the correct rules. Subchains are also missing.

The right way to go forward would be to fork nft and to make nftim ("nft improved", working title) work more ferm-like with more comfort for the user. Sadly, I neither have the time nor the programming expertise to go forward with this.

that being said, https://ferm.foo-projects.org/ has a self-signed certificate and only delivers an "under construction" web page. http://ferm.foo-projects.org/ delivers the correct page, but that doesn't help much with modern browsers that don't do http any more without an explicit whitelist. Please consider fixing the https web page or turning of the https listener.

Zugschlus avatar May 27 '25 08:05 Zugschlus