| 1 |
On Thu, Mar 1, 2018 at 8:48 PM, Walter Dnes <waltdnes@××××××××.org> wrote: |
| 2 |
> On Thu, Mar 01, 2018 at 12:58:44PM -0500, Tom H wrote |
| 3 |
>> On Wed, Feb 28, 2018 at 4:15 PM, Walter Dnes <waltdnes@××××××××.org> wrote: |
| 4 |
>> > |
| 5 |
>> > Is there something besides iptables? It seems to be like |
| 6 |
>> > systemd/perl/python, continuously expanding its scope. And no, I'm not |
| 7 |
>> > looking for an "easy-peasy front-end gui" that'll probably pull in 90% |
| 8 |
>> > of QT as dependancies. I fondly remember IPCHAINS. |
| 9 |
>> |
| 10 |
>> iptables doesn't depend on systemd, perl, or python. |
| 11 |
> |
| 12 |
> It has become an all-in-one router/packet-mangler/firewall/QOS/etc |
| 13 |
> when I simply want a firewall. The required kernel entries have |
| 14 |
> increased simply for the firewall functionality. |
| 15 |
> |
| 16 |
|
| 17 |
Has it really changed that much for the same requirements? Google |
| 18 |
suggests that blocking a port is still a one-liner. |
| 19 |
|
| 20 |
They've certainly added a lot of functionality, but as far as I'm |
| 21 |
aware you don't have to use most of it to just filter packets. |
| 22 |
|
| 23 |
In any case, netfilter is entirely in the kernel, so you're going to |
| 24 |
be using it one way or another if you want to use linux. Using a |
| 25 |
front-end is the easiest way to go with it. |
| 26 |
|
| 27 |
I don't really see that Linus has much choice but to accept more scope |
| 28 |
unless he wants to move netfilter out into userspace, since I'm sure |
| 29 |
some people need those features and he hasn't really given them any |
| 30 |
other way to have them. |
| 31 |
|
| 32 |
If they did move netfilter to userspace, then it would probably end up |
| 33 |
working a lot more like dbus, I'm sure that would make you happier... |
| 34 |
It would enable you to use an alternative implementation, though. |
| 35 |
Not that anybody will bother to write one because it is easier to let |
| 36 |
RedHat do all the work. |
| 37 |
|
| 38 |
That is generally how most of these things go. Nobody really kills |
| 39 |
off the ability for a simple tool to work. However, what does happen |
| 40 |
is that somebody comes up with a fancier tool that covers more edge |
| 41 |
cases, then all the distros adopt it, because they're shipping it all |
| 42 |
preconfigured so it isn't that big a deal if the new solution requires |
| 43 |
35 configuration files since it isn't like their end-users are editing |
| 44 |
those files directly. Then more software ends up taking advantage of |
| 45 |
some of the features offered by this tool, and it becomes harder to |
| 46 |
avoid using it. |
| 47 |
|
| 48 |
If anything netfilter staying in the kernel and picking up all those |
| 49 |
other features is probably going to be more to your taste than the |
| 50 |
alternatives... |
| 51 |
|
| 52 |
-- |
| 53 |
Rich |
Archives