replace ferm with nftables

Context

Since version 2.5 released with Debian 11, ferm, our firewall manager, loads its firewall rules via iptables-legacy instead of iptables which is aliased to iptables-nft since Debian 10.

The result is that our bullseye machines run two firewalls, both nftables and iptables. This is explicitely discouraged in Debian.

Workaround

Since we mainly deploy simple firewall rules and never had any issues with ferm using iptables on Debian 10 (hence iptables-nft), we should consider implementing the workaround suggested here to force ferm to interact with iptables/iptables-nft on bullseye and later : https://github.com/MaxKellermann/ferm/issues/47#issuecomment-845940826

Fix

We should just stop using ferm altogether and directly generate rules with nftables.

@weasel apparently has a good nftables module for puppet:

https://github.com/weaselp/puppet-nry_nft

... and naturally voxpupuli has one too:

https://forge.puppet.com/modules/puppet/nftables / https://github.com/voxpupuli/puppet-nftables

Edited Feb 15, 2022 by anarcat

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information