1 |
Not in agreement with what? I'm simply asking a question. I understand what you are saying, but I think you are still stuck on your original thread with the guy who actually wants a one button firewall. You assume too much if you think that I am looking for the same thing. Nobody wants to make gentoo into a zero knowledge distro, so it's real easy to score some cheap shots making comparisons to Microsoft and Redhat. |
2 |
|
3 |
Configuration is obviously in the domain of a package. Ideally the default configuration is conservative and secure. The fact is Gentoo is making policy decision every day, and even deals with optional configurations. Take /etc/rc.d/config/basic where we have the choice of using either achim's, drobbin's or pete's favorite console fonts. I like that. Why? Because even though I have a preference to what my console font is I really don't give damn. I'm not going to waste too much time researching different console fonts. So I really appreciate a suggested configuration. This solution is cool, but it gets more complicated when we get into desktops. So what I was suggesting was a higher level tool to handle configurations. Should gentoo provide one default configuration for GNOME? Or should there be a choice of configurations? Maybe separation of installation and configuration would be a good thing? I think a configuration tool moves toward gentoo's goal of being a meta-distribution. |
4 |
|
5 |
Now I'm not suggesting a configuration tool that can replace the need for manual configuration, at least in most cases. Just a tool that can manage multiple optional configurations. I'm with you when you say that an admin (or user) should understand netfilter before implementing it, and I disagree with the original poster who wants a easy (but insecure) way to NAT his network. However there comes a time when you may want the benefit of someone else's experience. You probably did not write a firewall script from scratch, or your XFree configuration, and on and on. Chances are you used a suggested configuration that you modified to suit your purposes. |
6 |
|
7 |
Anyway it is simply an idea, maybe even a bad one. I'm not terribly attached to it. I was hoping to open a logical discussion not some hot-blooded "debate". Nobody is going to turn gentoo into a Mandrake or Redhat. Documentation is a lot more important than optional configuration packages. Please tone down the emotion and carefully consider what I am saying next time. It sounds like we agree on a lot, and even if we disagree I think it is to everyone's advantage to keep an open mind. |
8 |
|
9 |
-sherman |
10 |
|
11 |
|
12 |
|
13 |
-----Original Message----- |
14 |
From: Donny Davies <woodchip@g.o> |
15 |
Sent: Wednesday, October 03, 2001 12:35 PM |
16 |
To: <gentoo-dev@××××××××××.org> |
17 |
Subject: [gentoo-dev] NAT iptables info |
18 |
|
19 |
|
20 |
|
21 |
Nope. Sorry. Im not in agreement in this at all. Of course, its open to debate, |
22 |
Im not saying I know everything, nor Im 100% right. Go ahead, debate away. |
23 |
But I dont want any part of it, Ill tell you that! |
24 |
|
25 |
If you dont understand the ramnifications of packet filetering, NAT, etc then |
26 |
you have *no* business running this software. We are not Microsoft or Wingate, |
27 |
opening yuor machine to a wider world. |
28 |
|
29 |
What if somebodys iptables script is made into an ebuild, and said script turns |
30 |
out to be flawed, perhaps seriously? Then its "hey, yeah those guys at gentoo |
31 |
have a firewall setup like swiss cheese.". What interfaces are yuo going to |
32 |
configure this ebuild for? eth0 and eth1? how about ppp? maybe an isdn |
33 |
interface? How do yuo choose? Im going to say this again, it is %100 |
34 |
configuration. This is *not* the domain of a package. It is the domain of |
35 |
a system administrator. This is 1 file we're talking about here people, not |
36 |
a series of docs, scripts, config files. *most* of them anyway. There *are* |
37 |
some that come with external configs. But thats all beside the point. The |
38 |
script needs to be edited. This whole thing started because we basically had |
39 |
a post to the devel list of the flavour: "I need an iptables HOWTO". |
40 |
|
41 |
What are you going to do about the kernel modules? Did you know that |
42 |
the netfilter modules are built at the kernel level? How are you going to |
43 |
DEPEND on that? |
44 |
|
45 |
This is bad policy. A distribution should *not* be dictating *policy*. To |
46 |
not understand that is a big mistake. Listen, Redhat and Mandrake are |
47 |
the kinds of distros doing this stuff! Making Linux into a 1 click affair. |
48 |
This is not our primary intention. Not at this stage anyway! |
49 |
|
50 |
So feel free to debate it all you want, I wont be having *any* part in it |
51 |
Ill tell you that! |
52 |
|
53 |
Cheers! |
54 |
|
55 |
Donny |
56 |
|
57 |
|
58 |
|
59 |
_______________________________________________ |
60 |
gentoo dev mailing list |
61 |
gentoo dev@××××××××××.org |
62 |
http://cvs.gentoo.org/mailman/listinfo/gentoo dev |