Originally posted by Danny3
View Post
Announcement
Collapse
No announcement yet.
Systemd 240 Released To End 2018 On A High Note
Collapse
This topic is closed.
X
X
-
Originally posted by frank007 View Post
At the moment this is the situation. Do you like an "under heavy development" OS? Feel free to use it, I do not call you insane. I want a different solution, I am a simple "Linux user" (not a sysadmin), and I want to keep my data safe in the hard disks. That's all.
- Likes 3
Comment
-
Originally posted by Danny3 View PostI hope that in the future systemd will add a easy to use and understand firewall to their existing network code.
I remember that in one of theirs conference videos Lennart or some other developer said that they would want to add a firewall that is program based, not port based.
- Likes 1
Comment
-
Originally posted by Danny3 View PostI hope that in the future systemd will add a easy to use and understand firewall to their existing network code.
I remember that in one of theirs conference videos Lennart or some other developer said that they would want to add a firewall that is program based, not port based.
Originally posted by Danny3 View PostThat would be great for someone like me who doesn't want to search online which ports a program uses and then add a rule for those.
You are assuming that applications use a specific port or range of ports all the time. That is true for applications on the "well known ports". Some applications use port numbers outside of that "well known" range. Nothing says that application developers always have to use the port(s) they were originally written to use if they are outside the "well known" range. Sometimes application developers change port numbers in future releases simply to get around firewall rules. In other words, never expect application code to behave in a future release like it did in a past release; good enterprise support teams have dedicated test teams to find those issues before they roll out a new OS or application version to their users.
The impact to firewall developers is having to keep pace with the work of application developers, both in code development, updating, and testing. There is no obvious notification process unless the firewall code maintainers subscribe to every email list out there; an unrealistic expectation for any developer when their teams mostly work independently of each other. So that means there will always be a lag between what application developers do and what the firewall developers/maintainers program. Any lag in support means "breakage". Do you want "breakage" where you will have to wait for a future update?
Your idea could appear as a "subscription" service where Linux users that want it can pay for it. That would help underwrite/subsidize the massive maintenance process, but it does nothing to fix "the lag" between work done by application developers and firewall code updates. Would you be willing to pay for such a service even though there may still be a "lag" and occasional "breakage"?
Originally posted by Danny3 View PostBesides, I think the program could just dynamically use another port or change the used port after an update and then the firewall rule would have no effect and the program could still use the network as if it were no firewall.
Originally posted by Danny3 View Post
Comment
-
Originally posted by Danny3 View PostI hope that in the future systemd will add a easy to use and understand firewall to their existing network code.
I remember that in one of theirs conference videos Lennart or some other developer said that they would want to add a firewall that is program based, not port based.
That would be great for someone like me who doesn't want to search online which ports a program uses and then add a rule for those.
Besides, I think the program could just dynamically use another port or change the used port after an update and then the firewall rule would have no effect and the program could still use the network as if it were no firewall.
Something like this already exists on Android if you install AFWall+
I hope to see something smart and easy like that built-in Linux too.
Maybe then distros can add a firewall section to their respective control panels.
Firewalls that actually inspect traffic and block applications regardless of ports and IPs are called "application firewall" but require significant amounts of resources as they are inspecting all packets and keeping track of what is going on.
Currently the most similar thing is "portals" feature of flatpack where you can give flatpacked applications that are otherwise sandboxed permission to access something when they ask for it (similar to Android), but it's still under development.
- Likes 1
Comment
-
Originally posted by frank007 View PostI'm just switching from systemd to a different init system. I already experienced an unbootable system (doing nothing) because of it. That's all.
I remember Sysvinit, I remeber how easy it was to manage, I remeber everythin, so I'm just switching over.
- Likes 5
Comment
-
Originally posted by NotMine999 View Post"easy to use" and "firewall code" tend to conflict with each other.Last edited by starshipeleven; 23 December 2018, 06:12 AM.
Comment
Comment