[nzlug] Firewall ruleset check...
Michael Adams
linux_mike at paradise.net.nz
Thu May 15 18:04:41 NZST 2008
On Wed, 14 May 2008 21:16:35 +1000
Daniel Pittman wrote:
> Steve Holdoway <steve at greengecko.co.nz> writes:
> > On Wed, 14 May 2008 19:05:26 +1200
> > Cliff Pratt <enkidu at cliffp.com> wrote:
> >
> >> Why re-invent the wheel when you can use someone else's expertise.
> >
> > <hobbyhorse>
> > Because if you actually understand what you're doing, then you'll do
> > a better job.
>
> I would argue that this is true only if you say:
>
> Because if you actually understand what you are doing *better than
> the developers of the firewall tool* then you'll do a better job.
>
> If you are not as good as the people building an upstream solution, or
> if you don't have as much peer review, or if you are misinformed of
> the capabilities of the tool then you may well do worse.
>
> On the other hand, yes, you may do better. Understanding the tool,
> and the situation, is necessary -- no blanket statement is ever going
> to be universally true.
>
> > I doubt that the iptables developers were intending to make their
> > solution as difficult as possible to understand - I suggest that it
> > was the exact opposite, and their solution is as simple as it could
> > possibly be.
>
> I don't believe that simplicity is the sole axis on which to judge
> iptables, or a wrapper around it. Furthermore, I don't believe that
> there is a *single* axis of simplicity.
>
> For example, I would suggest the iptables developers designed their
> tool to be as correct and simple as possible *from a kernel
> implementation point of view*, rather than focusing on a simple user
> interface.
>
IPTables was designed as _the_ text readable interface for
netfilter so it _is_ a simple user interface. Simple as in CLI
accessible. Shorewall and the like are GUI to the text
interface if you like.
http://www.netfilter.org/projects/iptables/index.html
**** Quote ****
iptables is the userspace command line program used to configure the
Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset. It is targeted
towards system administrators.
***************
I'm staying out of the rest of the argu^h^h^h^h discussion :)
[snip]
--
Michael
All shall be well, and all shall be well, and all manner of things shall
be well
- Julian of Norwich 1342 - 1416
More information about the NZLUG
mailing list