Gentoo Archives: gentoo-dev

From: Sherman Boyd <shermanb@×××.com>
To: gentoo-dev@××××××××××.org
Subject: Re: [gentoo-dev] NAT iptables info
Date: Thu, 04 Oct 2001 14:47:18
1 Not in agreement with what? I'm simply asking a question. I understand what you are saying, but I think you are still stuck on your original thread with the guy who actually wants a one button firewall. You assume too much if you think that I am looking for the same thing. Nobody wants to make gentoo into a zero knowledge distro, so it's real easy to score some cheap shots making comparisons to Microsoft and Redhat.
3 Configuration is obviously in the domain of a package. Ideally the default configuration is conservative and secure. The fact is Gentoo is making policy decision every day, and even deals with optional configurations. Take /etc/rc.d/config/basic where we have the choice of using either achim's, drobbin's or pete's favorite console fonts. I like that. Why? Because even though I have a preference to what my console font is I really don't give damn. I'm not going to waste too much time researching different console fonts. So I really appreciate a suggested configuration. This solution is cool, but it gets more complicated when we get into desktops. So what I was suggesting was a higher level tool to handle configurations. Should gentoo provide one default configuration for GNOME? Or should there be a choice of configurations? Maybe separation of installation and configuration would be a good thing? I think a configuration tool moves toward gentoo's goal of being a meta-distribution.
5 Now I'm not suggesting a configuration tool that can replace the need for manual configuration, at least in most cases. Just a tool that can manage multiple optional configurations. I'm with you when you say that an admin (or user) should understand netfilter before implementing it, and I disagree with the original poster who wants a easy (but insecure) way to NAT his network. However there comes a time when you may want the benefit of someone else's experience. You probably did not write a firewall script from scratch, or your XFree configuration, and on and on. Chances are you used a suggested configuration that you modified to suit your purposes.
7 Anyway it is simply an idea, maybe even a bad one. I'm not terribly attached to it. I was hoping to open a logical discussion not some hot-blooded "debate". Nobody is going to turn gentoo into a Mandrake or Redhat. Documentation is a lot more important than optional configuration packages. Please tone down the emotion and carefully consider what I am saying next time. It sounds like we agree on a lot, and even if we disagree I think it is to everyone's advantage to keep an open mind.
9 -sherman
13 -----Original Message-----
14 From: Donny Davies <woodchip@g.o>
15 Sent: Wednesday, October 03, 2001 12:35 PM
16 To: <gentoo-dev@××××××××××.org>
17 Subject: [gentoo-dev] NAT iptables info
21 Nope. Sorry. Im not in agreement in this at all. Of course, its open to debate,
22 Im not saying I know everything, nor Im 100% right. Go ahead, debate away.
23 But I dont want any part of it, Ill tell you that!
25 If you dont understand the ramnifications of packet filetering, NAT, etc then
26 you have *no* business running this software. We are not Microsoft or Wingate,
27 opening yuor machine to a wider world.
29 What if somebodys iptables script is made into an ebuild, and said script turns
30 out to be flawed, perhaps seriously? Then its "hey, yeah those guys at gentoo
31 have a firewall setup like swiss cheese.". What interfaces are yuo going to
32 configure this ebuild for? eth0 and eth1? how about ppp? maybe an isdn
33 interface? How do yuo choose? Im going to say this again, it is %100
34 configuration. This is *not* the domain of a package. It is the domain of
35 a system administrator. This is 1 file we're talking about here people, not
36 a series of docs, scripts, config files. *most* of them anyway. There *are*
37 some that come with external configs. But thats all beside the point. The
38 script needs to be edited. This whole thing started because we basically had
39 a post to the devel list of the flavour: "I need an iptables HOWTO".
41 What are you going to do about the kernel modules? Did you know that
42 the netfilter modules are built at the kernel level? How are you going to
43 DEPEND on that?
45 This is bad policy. A distribution should *not* be dictating *policy*. To
46 not understand that is a big mistake. Listen, Redhat and Mandrake are
47 the kinds of distros doing this stuff! Making Linux into a 1 click affair.
48 This is not our primary intention. Not at this stage anyway!
50 So feel free to debate it all you want, I wont be having *any* part in it
51 Ill tell you that!
53 Cheers!
55 Donny
59 _______________________________________________
60 gentoo dev mailing list
61 gentoo dev@××××××××××.org
62 dev