Problem
Firewall setup/audit currently focuses on IPv4 iptables rules. On hosts with IPv6 enabled or nftables-first setups, outbound restrictions may be incomplete or harder to validate.
Proposed solution
- Extend firewall setup to cover IPv6 egress policy (
ip6tables or nft equivalent).
- Add nftables-aware detection/configuration path where iptables compatibility is absent.
- Update security audit checks to validate whichever backend is active (iptables/ip6tables/nftables).
- Preserve current behavior as fallback for existing installs.
Helpful context
bin/setup-firewall.sh currently programs iptables chain/rules only.bin/security-audit.sh firewall checks inspect iptables and /etc/iptables/rules.v4.- Repo guidelines already allow distro-specific branches when reliability improves.
Problem
Firewall setup/audit currently focuses on IPv4
iptablesrules. On hosts with IPv6 enabled or nftables-first setups, outbound restrictions may be incomplete or harder to validate.Proposed solution
ip6tablesor nft equivalent).Helpful context
bin/setup-firewall.shcurrently programsiptableschain/rules only.bin/security-audit.shfirewall checks inspectiptablesand/etc/iptables/rules.v4.