2013/2/16 Matthew Weigel <uni...@idempot.net>: > On Feb 16, 2013, at 5:28 AM, Vadim Zhukov <persg...@gmail.com> wrote: > >> 2013/2/16 Fil DiNoto <fdin...@gmail.com>: >>> But this is all off-topic, I'm not slaming pf in any way i love it. I >>> was just saying it can't hurt to try to emulate what people know if at >>> all possible. And the fact is that junos/ios have the market share so >>> thats what people know. > > Sorry, Vadim, for responding to Fil through your email. > > I think there is a real risk to trying to present an interface that is > reminiscent of other systems, that behave differently and do less. People > will begin to expect that pf does the same things - no more, no less. Power > that is specific to pf over other systems will be ignored, because people > will think that since they are familiar with the interface they know what > they're doing.
Yes, there are people who wants to know enough to have work being done somehow - those don't care what to use and don't want to learn in the general place. Probably they aren't OpenBSD audience but they hurt other people, "advanced" enough, to use OpenBSD either. Those ones who don't care about tools they are actually using, WILL fuck up their use. And hell, yes, I'd prefer netfilter-based solutiong built by smart man than PF-based built by stupid one. But when choosing between netfilter-based and PF-based firewalls built by the same lazy man (I'm NOT talking about OP himself here)... who cares? There is no point in caring about what tools other do use, until this hurts you. If others just use netfilter, fine - it's their problem. :) If you have to use netfilter because others do use PF - it becames your problem. A real problem. Just an example: I had to spent last few months in building virtualized environment based on CentOS 6. Well, I could not say it's full crap - just about 70% of it. :) I know that building the same using OpenBSD could take a few weeks (including detailed documentation of the whole process). But I had to use Linux, because other people here don't know anything about BSDs at all, and because they really need Sun JDK 1.6 for some stuff. It's really pain in the ass: for example, I had to fight with udev, grub and LVM each time I clone a virtual machine; I have to choose between old (CentOS/RHEL repos) and badly tested (EPEL) packages most of the time, or build stuff on my own; I have to debug PAM modules to allow logging in using 25 years old technologies because "official HOWTOs" are not valid for given OS and tools provided with distro fail silently, and ever then it doesn't work the way I want... But people don't want thing that Just Works(TM) if they could not fix it later themselves (though I suspect they could not fix this Linux-based infrastructure either). So many of us have to build Linux-based environments for others and use OpenBSD for ourselves. A bit frustrating but it's better than nothing. :) And let see the problem from the other side. Remember the school. At first you'd learn Newton's physics, where you could just accelerate and run as fast as light could and even faster. And only then, a few years off, the Einstein's theory come. Don't think about shell-like interface for the PF as the right solution for the final product - such thinking IS wrong, I totally agree. But remember, when people will _really_ want some more functionality, they _will_ learn. They just need an incentive. Straightforward making people around learning the whole PF at once is almost the same thing as trying to make the first grader learning relativity theory. I've made enough such mistakes already, trust me. :) And I don't want to say those people are stupid at all, they just could not apprehend as quickly as you or me may want them do. > Presenting a different interface is a FANTASTIC way to communicate > 'difference' to the user. It forces them to think about the difference > sooner, rather than when things aren't working as expected (or after they've > bought more equipment on top of the OpenBSD firewall because "JunOS can't do > that"). > > If that means people don't learn pf because they realize very quickly that > it's unlike anything they know... That is a SERVICE being provided. They knew > they didn't have the time to figure it out before they got ass-deep into it. Everyone does mistakes. Everyone sometimes fucks up the things. I do. :) If you want those happen more rarely than often, set up the appropriate process: give the people as much info as they could handle at the moment given, but not more - or they won't get any info at all. Get they know that there is a PF. Just a few words. Then show some things they use (or want to use) in netfilter/DamnSwitchOS/etc. that are easy in PF, so people get interested. Do this several times. Make them know that "PF is easy". Then get them trying to do the same you're doing. If you've done that well, they'll like it, and they will want to try it in production. Just make people _want_ to learn and try. They will find arguments themselves. :) I tried. This works. -- WBR, Vadim Zhukov
