On 02/09/2011 13:44, James Shubin wrote: > On Wed, 2011-08-31 at 09:41 -0700, Tom Eastep wrote: >> I have mixed feelings about omnibus macros like this; I think they >> encourage naive users to open many more ports than are really needed. > Agreed >> Anyone else have an opinion? >> >> > Do not want. > > If macro.MAIL is what you want, you can still add it to your own config. > I have a few personal macros that I use, that I push to my servers with > puppet. >
If they are useful enough for you, then why not toss them upstream so that everyone might benefit? I'm not sure I understand the criteria for what types of macros should be in upstream? There is a macro for "SMTP", which is arguably just a reminder of the port number for smtp. There is a macro for SMB, which is useful because it covers the range of tcp and udp ports. There is a selection of NTP* macros, which cover variations of direction and ports. So upstream already ships very simple macros and macros like "Web" which cover groups of protocols. Where is the line on what is appropriate and what is not? I asked previously if anyone has a genuine example where the macro would "cause harm"? The original claim was that this would cause naive users to open additional unneeded ports - I'm not disputing the general case, but this *specific* case - I don't (currently) see that there are real situations where a naive user will cause themselves harm using this? Please consider the specific example here, not just the general idea of "group macros", (which I'm not arguing in favour of) I also claimed an benefit in the case of REJECT - a sensible group macro in that case can be more secure for a naive user than said user trying to figure out all the corner cases to block (blocking the easy stuff is easy, it's the corner cases which go wrong) If I examine the situations where I have requirement to filter mail, in 100% of *my* situations I would need to write all 7 lines (either ACCEPT or REJECT as appropriate). I'm struggling to imagine more than a handful of situations where I wouldn't use the whole group... Typing is bad and leads to cut and paste errors... (I have under 100 servers, so I'm not going to claim my experience is definitive, but I have given it some examination) I would like to ask you to reconsider your opinions - please discuss in the context of what is the criteria for including in upstream macros, not just personal preference Thanks Ed W ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
