Announcement

Collapse
No announcement yet.

Firewalld 1.0 Released With Big Improvements

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by jacob View Post
    UFW is good for what it does, but apart from limited distro support it also has too many drawbacks:
    • [...]
    • it has no GUI
    GUFW?

    Comment


    • #12
      Originally posted by cl333r View Post
      Alright my little greasy monkeys, who's the first one to complain about firewalld?
      What are the best alternatives out there?

      Comment


      • #13
        Originally posted by Chugworth View Post
        The difference is, working with nftables is not so hard.
        It's also not suitable for use on a laptop or mobile device where you can roam between zones and use cases all the time. Besides the point is not whether it's hard, the point is that it's not automated away so that people never have to worry about it. Remember what Linus said about plug & play: a user friendly OS is not one that has a fancy UI to configure drivers, it's one where users never even hear about drivers. I would say it applies to the FW as well: people should be able to decide "I X to work and Y be blocked" without having to care about the syntax of nftables which is irrelevant to what they are doing (e.g. for example, record music).

        Comment


        • #14
          Originally posted by Chugworth View Post
          Wouldn't it be better to just learn how to manage nftables than learn how to manage a service that manages nftables?
          Indeed. One has to learn about firewalld's command options and its syntax before one can use it and it requires to have a good understanding of networking and how it is handled within the kernel. So for a lot of people is it indeed better to use nftables directly when it already does what they need. For those who want to use firewalld instead does it then help to understand how it works when one understands nftables, python and xml, because firewalld builds on these.

          No amount of abstractions and conveniences will help when it comes to security. Understanding the fundamentals is always key and to think there was a convenient way around it is the first step to making a mistake.
          Last edited by sdack; 23 July 2021, 01:11 AM.

          Comment


          • #15
            Originally posted by jacob View Post
            Wouldn't it be better to learn assembly than learn a language that compiles to assembly?

            Wouldn't it be better to learn how to set the colours of pixels on the screen than learn an API that renders pixels on the screen?

            Wouldn't it be better to learn how to send/receive ethernet frames rather than use application-level protocols that send and receive ethernet frames?
            Compilers help when you want to write code for many different CPUs and where you would have to learn many different assembly dialects and instruction sets. Compilers also help with the size of code and make large projects more manageable. However, when you only have one dialect, one instruction set and the problem you want to solve can be packed into a few thousand lines then the advantages of compilers diminish and their complexity becomes their disadvantage. So your example of compilers does not quite compare to nftables vs. firewalld, because nftables is what firewalld uses and iptables is obsolete. If you would know nftables then you would also have known that.

            In a similar way does your comparison to Ethernet frames fail, because there is not one frame for all, but many different frames doing many different things. In your comparison does Firewalld become the one Ethernet frame that does it all, which it is not. Firewalld is only as powerful as nftables allows it to be.

            To compare nftables to setting pixels and to say it was not an API is just as wrong. nftables is the API to setting firewall rules within the kernel. It then does not make sense to always use OpenGL or Vulkan to draw a pixel, a line or to render a video on a screen either when more appropriate and more direct rendering APIs are available. This is even more true in graphics where every level of abstraction can introduce unwanted delays.
            Last edited by sdack; 23 July 2021, 01:47 AM.

            Comment


            • #16
              Originally posted by Templar82 View Post
              Actually yes I wish more people would do this in some cases.
              Assembly is actually pretty neat when you want to learn about how a CPU does all the things we're able to make it do.

              Comment


              • #17
                Originally posted by jacob View Post
                It's also not suitable for use on a laptop or mobile device where you can roam between zones and use cases all the time.
                It actually is. When you can implement your firewall rules for different zones into one nftable ruleset then you will be better off than using an application, which first needs to determine the zone you are in before it changes a ruleset. Because when you can do it in one nftables ruleset then all roaming is handled directly within the kernel and not in user space, leaving you without a roaming delay and no security gap. Ideally do you want firewalld to create you one permanent ruleset for all cases, and not have it switch around multiple sets and force you to manage multiple sets, which possibly share common features.
                Last edited by sdack; 23 July 2021, 01:58 AM.

                Comment


                • #18
                  Originally posted by sdack View Post
                  Compilers help when you want to write code for many different CPUs and where you would have to learn many different assembly dialects and instruction sets. Compilers also help with the size of code and make large projects more manageable. However, when you only have one dialect, one instruction set and the problem you want to solve can be packed into a few thousand lines then the advantages of compilers diminish and their complexity becomes their disadvantage.
                  Really? Show me someone who, when they want to calculate the Nth Fibonacci number, would prefer to code it in assembly rather than dealing with the "complexity" of the compiler. This is the wrong approach: complexity is a fact and cannot be ignored. Properly designed software deals with it internally, bad software pushes it on the user.

                  Comment


                  • #19
                    Originally posted by sdack View Post
                    It actually is. When you can implement your firewall rules for different zones into one nftable ruleset then you will be better off than using an application, which first needs to determine the zone you are in before it changes a ruleset. Because when you can do it in one nftables ruleset then all roaming is handled directly within the kernel and not in user space, leaving you without a roaming delay and no security gap. Ideally do you want firewalld to create you one permanent ruleset for all cases, and not have it switch around multiple sets and force you to manage multiple sets, which possibly share common features.
                    So you go to work where you connect to a 10.0.0.0/8 through Wifi. Then you get home and connect to your home Wifi, which is 10.0.0.0/8. Different zone, different requirements. How do you do that in nftables alone?

                    Comment


                    • #20
                      Originally posted by jacob View Post
                      Really? Show me someone who, when they want to calculate the Nth Fibonacci number, would prefer to code it in assembly rather than dealing with the "complexity" of the compiler.
                      Here, I do. Your problem simply is that you do not know how to write assembly code and hence does it seem only more complicated to you. Why then not use an interpreter or an advanced scientific software to calculate the Nth Fibonacci number? Again, only somebody who does not know how to use either would claim the best way was to use a compiler.

                      Comment

                      Working...
                      X