Re: Debian 9 network management
Hi.
On Sat, Aug 18, 2018 at 11:25:15AM +0200, Alessandro Vesely wrote:
> On Thu 16/Aug/2018 14:02:08 +0200 Reco wrote:
> > On Thu, Aug 16, 2018 at 12:04:28PM +0200, Alessandro Vesely wrote:
> >> On Wed 15/Aug/2018 08:31:32 +0200 mick crane wrote:
> >>>
> >>> I too have been wondering about this and the wiki seems clear.
> >>> https://wiki.debian.org/NetworkConfiguration#Setting_up_an_Ethernet_Interface
> >>
> >> However, that doesn't cover how to properly coordinate setting up IP links,
> >> firewall, NAT, and netfilter daemons.
> >
> > If you're using userspace daemons for netfilter then you're doing it
> > wrong. For instance, it has forced non-exsistent distinction between the
> > firewall, NAT and netfilter in your e-mail.
> >
> > All these are merely the state of running kernel, and while you
> > certainly need userspace for configuring them, there's no need for any
> > userspace running for these things to function.
>
> A netfilter queue daemon runs in userspace, but that doesn't make much of a
> difference.
True. But said daemon (whenever it's used for NetFlow collection or L7
filtering) is not responsible for the netfilter rules themselves.
> The point is in what order things are configured/ enabled, and
> which files do you have to edit to check or change the corresponding parameters.
Also true. And this is where all userspace "firewall" daemons loose. Not
a single one of them is not able to stomach a single netfilter rules
that was not added by them. At best they ignore it.
> >> IIRC it is possible, but difficult to make and maintain, and seemingly
> >> fragile.
> >
> > A difficulty is in the eye of the beholder.
>
> So is his/ her learning curve, especially in a system where network management
> leans toward casual laptop users rather than server admins —and rightly so.
I agree that a server and desktop/laptop are configured differently.
One of the main differences boils down to the fact that one can expect a
netfilter rule set on a server, but it's a rare sight on a
desktop/laptop.
The reasons being - mDNS, SSDP, video casting, IPTV (multicast variant),
torrents etc. Is it possible to allow all this via netfilter? Yes. Would
end-user bother? Hardly, as it's easier to disable all netfilter rules
altogether (in the case of Debian - not to enable them at all).
And if security is wanted by end-user (which is rare in my experience),
there is always intermediate network hardware for that.
> In any case, a sysadmin has to learn the syntax of say, sysctl, ip, iptables,
> vconfig, modprobe, and the like. Hence, just running the right sequence of
> (kernel configuration) commands is more straightforward than trying to discover
> how to have them run in the same sequence indirectly, by properly setting a
> number of configuration files, methinks.
You forgot to mention one crucial part - troubleshooting. For us, mere
mortals, writing a set of netfilter rules at first try without any
errors is hard if not impossible.
And all these high-level tools are hardly suited for the
troubleshooting.
> In addition, the semantics of high
> level configuration files seems to be more likely to change across releases
> than that of lower level commands.
There's answer for that, but it's hardly for anyone's liking.
RedHat's firewalld. It's tricky, with big 'S' for security in name, and
it's written in Python, but end-user interface is stable.
Reco
Reply to: