[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: some reality about iptables, please

On Fri, 2003-08-29 at 06:57, Paul Johnson wrote:
>  -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Wed, Aug 27, 2003 at 11:06:23AM -0400, Bret Comstock Waldow wrote:
> > 1) If I use one of those tools, it does something, sets up something. 
> > What will it do?  It's someone else's canned decisions about how to
> > implement the choices I select from what it offers.  What do I end up
> > with?  Are there any holes?  How will I know if other choices I make
> > open up holes because I don't know how it's all coordinated?
> 
> You're welcome to go through the resulting config files and take a
> looksee for yourself.  It's not like the Windows registry or reading
> an SQL database with less or anything like that.

The problem I am facing is I don't know enough (yet) to do that.

Ok, learning is part of the deal.  But I also wasn't finding answers to
my questions.  I found website after website that talked about the
rules, but not so clear a discussion of where to put them, when to
activate them, what to coordinate them with, all the surrounding
aspects.  What services get activated when?  Which ones are relevant to
this problem?

To then run across one suggestion along with language suggesting he
wasn't telling the whole story (so I could evaluate what to do with it)
and inferring I'll have trouble if I use his suggestion was maddening.

In jokes are great for people who are on the in - they may be at the
expense of others.


> > And I don't think leaving documentation like the above is very kind or
> > useful for newbies. 
> 
> I apologize for sounding harsh, and I do remember my newbie days, but
> it appears that you missed the obvious.

And if I did, what does that say about the documentation?

Yes, I am an idiot sometimes.  Perhaps this time too.


> > If I'm to figure out how to solve the problem, I
> > need to know how, and leaving stress-inducing comments like that in
> > released code is a cop-out.
> 
> Howso?  Why should the iptables maintainer be expected to write an
> end-to-end solution to this problem when there are tools already
> readily available that do exactly what you're asking?

No.  I think a person can write whatever they like.

I also think the standard for the documentation that's accepted for
default installation with Debian maybe needs to meet a standard that
does the job of providing useful information for as broad a range of
users and skill and knowledge levels as can be arranged.  Threatening
doom and not saying why comes across a bit slack to me.

Yes, this is a fun place we all get to be individuals in, joking with
each other.  OTOH, I'm a Software Quality Assurance Analyst for a
living, and you don't leave users high and dry, and you don't play with
them.  That's not helpful.

Bret

-- 
bwaldow at alum dot mit dot edu
Reply to: