On Wed, 3 Jan 2001, David Douthitt wrote:
<snip>
>
> 1. They only generate ipchains on a one-shot deal; if you want to
> repeat you have to regenerate the script and rerun it. These
> utilities usually generate a shell script with all of the ipchains
> rules in it.
Which is why I suggested an init-script style initialization of rule
segments.
>
> 2. They require great big things like Perl to run - and so won't run
> on a small system like LRP/Oxygen/EigerStein.
>
A symptom of the attempt to solve too many problems -- if you're just
configuring a single firewall on a service by service basis, you shouldn't
need this stuff.
> 3. Rather than hide the rules, they tend to "create" them - there is
> no abstraction, just a rules generator.
>
Yeah, the ones I've seen tend to still require knowledge of port numbers
and stuff. Another reason I think init-script style is the way to go -- it
leverages one of the first bits of Linux knowledge people get (how to
start and stop services) and it hides the ipchains from casual observers,
though the code is still easy to see if someone wants to tweak it.
> My goals:
>
> * Abstract the firewall concepts sufficiently so a regular person can
> actually understand it (!)
>
Mmmm... I've seen this devolve into arguments about how "regular person"
should be defined.
> * Use functions and whatever scripts to make "programming" easy for a
> regular person (!)
>
Again, caution required. After working with 2.9.4 enough to be pretty
proficient, I found the scripts and functions of EigerStein to be quite
complicated and difficult to use. I had to spend several hours stepping
through them. Note the volume of mail being generated right now by people
trying to figure out how to forward a service -- there are three places
that look like they need to be modified, but only two are actually
required, and it's very confusing.
> * Use functions and whatever scripts to make firewall design simple
> and powerful in the hands of the expert
>
The expert is more likely to bypass your system and write their own
ipchains statements (possibly within your system's framework).
> > it's a shame this couldn't happen
> > ITRW (the instant feedback & interaction when brain-storming is one of
> > the big things lost in e-mail or other written communication).
>
> Conference call?? Hmmm....
>
>
Makes me miss the Pacbell job where people's bridge passwords were easily
guessed...
IRC or AIM? I haven't used it in weeks, but irc.monkeynoodle.org is still
up. #punk is the channel.
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/mailman/listinfo/leaf-devel
