Re: some reality about iptables, please

To: "Murray J. Brown" <mjb@witstone.com>
Cc: debian-user@lists.debian.org
Subject: Re: some reality about iptables, please
From: Bret Comstock Waldow <bwaldow@alum.mit.edu>
Date: 27 Aug 2003 17:43:56 -0400
Message-id: <[🔎] 1062020636.936.31.camel@ganesha>
In-reply-to: <[🔎] 1062007961.7204.45.camel@pingu.witstone.com>
References: <[🔎] 1061946734.3524.23.camel@ganesha> <[🔎] 20030827111232.GA22538@ursine.ca> <[🔎] 1061996782.937.14.camel@ganesha> <[🔎] 1062007961.7204.45.camel@pingu.witstone.com>

On Wed, 2003-08-27 at 14:12, Murray J. Brown wrote:

> BTW, the author's note was not a cop-out; it was actually an insightful
> remark, albeit terse and presumptive of some sophistication on the part
> of the user.

I continue not to agree on this count.  The note provided didn't say
anything about _why_ it shouldn't be used.  From a position of ignorance
(newbie), I can infer, but can't know.  Is it a security issue?  A
maintenance issue?  Potential conflict with another commonly customized
subsystem?  Something else entirely?

The author suggests he was "hounded" into providing it, despite the
unexplained misgivings he had.  I think his appropriate response if he
thought there were serious problems with the approach would have been to
say "write it yourself if you think it's appropriate - I don't".

Then, whoever wanted it would be responsible for making it work,
explaining it, etc.  As it is, he let the people who wanted it off the
hook (so they don't take any responsibility), but he doesn't say why he
doesn't think it should be used either - leaving people who don't have
the background to do it without his contribution in the dark and
uncertain.  He's got a secret, but he isn't telling.

I think that's a cop-out.  The nature of IPtables isn't so fundamental
as to allow me to expect everyone will have the background for it.  He
may be quite correct, and his advice (as far as it goes) valuable, but
he sowed doubt, and didn't act to dispell it.

And he could have.  He's the one who knows.

You probably know enough about IPtables to think of good reasons not to
use the /etc/default/iptables method outlined, but you still can't be
sure what _his_ reasons for deprecating it are.  He might be thinking of
something else.

> BTW, my previous post should have indicated PRE-up and POST-down clauses
> on the iface statement for the ppp connection.

Thank you.  I tried a few tools, but didn't understand some of what was
occuring, and one of them wrote rules that screwed up my system's
access.  I'll look again.

In the longer term, tying the rules to the network inits seems sensible.

Cheers,
Bret
-- 
bwaldow at alum dot mit dot edu

Reply to:

Follow-Ups:
- Re: some reality about iptables, please
  - From: Jacob Anawalt <jacob@cachevalley.com>

References:
- some reality about iptables, please
  - From: Bret Comstock Waldow <bwaldow@alum.mit.edu>
- Re: some reality about iptables, please
  - From: Paul Johnson <baloo@ursine.ca>
- Re: some reality about iptables, please
  - From: Bret Comstock Waldow <bwaldow@alum.mit.edu>
- Re: some reality about iptables, please
  - From: "Murray J. Brown" <mjb@witstone.com>

Prev by Date: Results of your commands
Next by Date: Re: Command line printing
Previous by thread: Re: some reality about iptables, please
Next by thread: Re: some reality about iptables, please
Index(es):
- Date
- Thread