[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: some reality about iptables, please

On Fri, 2003-08-29 at 10:44, Steve Lamb wrote:
>  On 29 Aug 2003 10:26:57 -0400
> Bret Comstock Waldow <bwaldow@alum.mit.edu> wrote:
> > Yes, this is a fun place we all get to be individuals in, joking with
> > each other.  OTOH, I'm a Software Quality Assurance Analyst for a
> > living, and you don't leave users high and dry, and you don't play with
> > them.  That's not helpful.
> 
>     Why any user would want to start off with iptables when the examples
> provided point to several far easier and more comprehensive methods of
> handling those rules is beyond me.  Stock answer to anyone who wants to muck
> around with firewall rules:
> 
> aptitude install shorewall
> 
>     Until you got that down pat you've no business poking directly with
> iptables directly IMHO.

And now I've heard your opinion.  (No deprecation intended, please read
on).

Notice what I've gone through to get to a place where I get to hear it.

Next, are you correct?  Are you correct in my case?

The reason I switched to Debian is that Red Hat is too proprietary. 
They make non-standard patches to the kernel, they've worked up a
framework for administrating their distro, etc. that are proprietary. 
To work with it, I have to study Red Hat-isms, that don't apply to
anything else.

I've also used SuSE, which is great, but the same or worse than Red Hat.

Suggestions I found on the web wouldn't work in either sometimes -
they're set up in non-standard ways.

So, I can invest my time into studying their proprietary systems, or...

I went looking for something more "just Linux", and Debian seems to meet
the criteria (although the .deb system is specialized - still, it is
widespread).

So, the question is, what do I spend my time and attention studying?

I've got two external intefaces, eth0 and ppp0.  I've got two virtual
internal interfaces to VMware, vmnet0 as a bridge to the Internet, and
vmnet1 as a bridge to the host filesystem via samba.

Lokkit locked up access to the host fs.  firestarter also didn't handle
vmnetX.  fwbuilder looks great, but I need to know all the network stuff
anyway to use it.

How much study does it take for me to know enough about shorewall,
fwbuider, firestarter, etc. to know it will solve my problems, how to
use it, how to be sure of the implications, gotchas, etc.?  And what do
I have to study to know that?

Should I put my effort into understanding iptables in the first place so
I can evaluate what shorewall does, or put my effort into trying to get
shorewall to do something (I can't evaluate if it's working - I don't
know enough.  What isn't it covering?  How do I know?)

Which comes first, the chicken or the egg?  (I know - it's the rooster.)

I got upset when the only answer I found was when someone implied they
knew something important, but left few pointers to what it was.

He was happy to spend a couple of paragraphs repeatedly emphasizing that
there was something important - why didn't he spend a paragraph stating
what it was?  "I don't like this because <phrase #1 to look up on
google>, <phrase #2 to look up on google>, and/or <phrase #3 to look up
on google>."

Sorted.  Done.

Beyond that, I'm willing to put in the time to learn.  I'm doing that
now.

Cheers,
Bret
-- 
bwaldow at alum dot mit dot edu
Reply to: