1 |
On Thu, Mar 1, 2018 at 8:48 PM, Walter Dnes <waltdnes@××××××××.org> wrote: |
2 |
> On Thu, Mar 01, 2018 at 12:58:44PM -0500, Tom H wrote |
3 |
>> On Wed, Feb 28, 2018 at 4:15 PM, Walter Dnes <waltdnes@××××××××.org> wrote: |
4 |
>> > |
5 |
>> > Is there something besides iptables? It seems to be like |
6 |
>> > systemd/perl/python, continuously expanding its scope. And no, I'm not |
7 |
>> > looking for an "easy-peasy front-end gui" that'll probably pull in 90% |
8 |
>> > of QT as dependancies. I fondly remember IPCHAINS. |
9 |
>> |
10 |
>> iptables doesn't depend on systemd, perl, or python. |
11 |
> |
12 |
> It has become an all-in-one router/packet-mangler/firewall/QOS/etc |
13 |
> when I simply want a firewall. The required kernel entries have |
14 |
> increased simply for the firewall functionality. |
15 |
> |
16 |
|
17 |
Has it really changed that much for the same requirements? Google |
18 |
suggests that blocking a port is still a one-liner. |
19 |
|
20 |
They've certainly added a lot of functionality, but as far as I'm |
21 |
aware you don't have to use most of it to just filter packets. |
22 |
|
23 |
In any case, netfilter is entirely in the kernel, so you're going to |
24 |
be using it one way or another if you want to use linux. Using a |
25 |
front-end is the easiest way to go with it. |
26 |
|
27 |
I don't really see that Linus has much choice but to accept more scope |
28 |
unless he wants to move netfilter out into userspace, since I'm sure |
29 |
some people need those features and he hasn't really given them any |
30 |
other way to have them. |
31 |
|
32 |
If they did move netfilter to userspace, then it would probably end up |
33 |
working a lot more like dbus, I'm sure that would make you happier... |
34 |
It would enable you to use an alternative implementation, though. |
35 |
Not that anybody will bother to write one because it is easier to let |
36 |
RedHat do all the work. |
37 |
|
38 |
That is generally how most of these things go. Nobody really kills |
39 |
off the ability for a simple tool to work. However, what does happen |
40 |
is that somebody comes up with a fancier tool that covers more edge |
41 |
cases, then all the distros adopt it, because they're shipping it all |
42 |
preconfigured so it isn't that big a deal if the new solution requires |
43 |
35 configuration files since it isn't like their end-users are editing |
44 |
those files directly. Then more software ends up taking advantage of |
45 |
some of the features offered by this tool, and it becomes harder to |
46 |
avoid using it. |
47 |
|
48 |
If anything netfilter staying in the kernel and picking up all those |
49 |
other features is probably going to be more to your taste than the |
50 |
alternatives... |
51 |
|
52 |
-- |
53 |
Rich |