Announcement

Collapse
No announcement yet.

Firewalld 1.0 Released With Big Improvements

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
    jacob
    Senior Member

  • jacob
    replied
    Originally posted by sdack View Post
    Compilers produce assembly so you cannot really say it would not be used. Anyhow, I think your only making a bad analogy here.

    Nftables offers you many different tools that when you do not know about them then you can also not use firewalld effectively. At best will you have to rely on your distro to install firewalld with a secure default. And while one can write software without knowing about assembly language do I not believe it is a good idea to create a secure system with firewalld without knowing nftables. You will only make the mistake many home users do when they install a 3rd party firewall on their computers, then open lots of ports for games, and still keep thinking it would make their computer secure, because they have installed a 3rd party firewall with a nice user interface and so now it protects them as long as they open ports using their new firewall software.
    Having a distro that installs firewalld securely is obviously the assumption here. In fact that's the whole reason why computers exist at all: to automate things so that people don't have to bother with them. You can certainly use firewalld without caring about nftables: you say "when at home I want to use bittorrent and share files using SMB, when at work that must be blocked". I takes about 3-4 clicks to do that and works reliably. Then you can care about productive things (used loosely, whether it's developing software, playing games, browsing the web or creating) rather than wasting time with the menial chores of admining your OS.

    Leave a comment:

  • sdack
    Senior Member

  • sdack
    replied
    Originally posted by jacob View Post
    Assembly is used very little in high performance computing. Fortran rules there and it can usually optimise and autovectorise nontrivial code better than hand written assembly. And if you are about to pretend that you use MPI, OpenMP etc in assembly then I'm calling out your BS right now.
    Compilers produce assembly so you cannot really say it would not be used. Anyhow, I think your only making a bad analogy here.

    Nftables offers you many different tools that when you do not know about them then you can also not use firewalld effectively. At best will you have to rely on your distro to install firewalld with a secure default. And while one can write software without knowing about assembly language do I not believe it is a good idea to create a secure system with firewalld without knowing nftables. You will only make the mistake many home users do when they install a 3rd party firewall on their computers, then open lots of ports for games, and still keep thinking it would make their computer secure, because they have installed a 3rd party firewall with a nice user interface and so now it protects them as long as they open ports using their new firewall software.

    Leave a comment:

  • tomas
    Senior Member

  • tomas
    replied
    sdack
    Senior Member
    sdack

    What you are saying is essentially that an ordinary computer user can never have security because they are not willing to dig into frankly obscure low level details regarding the network traffic on their computer.

    Leave a comment:

  • sdack
    Senior Member

  • sdack
    replied
    Originally posted by jacob View Post
    You seem determined not to see the point. The difference is obvious: different WiFi access point. Nftables doesn't have that information, firewalld does and can act on it.
    It is not that I would not see your point. You want to say that firewalld allows you to open ports whereas nftable would not. And you want to open ports not based on the actual traffic between hosts, but in a more vague and loose way, possibly in order to avoid having to bother with the details. Only the details are essential when you want to have security. nftables can certainly distinguish between access points, but the problem still remains: which hosts behind the access points can you actually trust and why? You can have nftables filter traffic based on the MAC addresses of the access points for example, but these can be faked just as the SSID of an access point can be faked. So just saying firewalld would allow you to do something that nftables would not, and that this would also make it more secure and not simply less, is not an answer.

    Leave a comment:

  • jacob
    Senior Member

  • jacob
    replied
    Originally posted by BingoNightly View Post

    Assembly is actually pretty neat when you want to learn about how a CPU does all the things we're able to make it do.
    When you want to learn about CPUs, absolutely. When you are developing application software, it's the wrong option 99.99999999% of the time.

    Leave a comment:

  • jacob
    Senior Member

  • jacob
    replied
    Originally posted by sdack View Post
    I do not believe you. If you actually had then you would know that especially where performance is needed are algorithms implemented in assembly instructions. It is one of the few domains where assembly programming has always ruled over compilers.
    Assembly is used very little in high performance computing. Fortran rules there and it can usually optimise and autovectorise nontrivial code better than hand written assembly. And if you are about to pretend that you use MPI, OpenMP etc in assembly then I'm calling out your BS right now.

    Leave a comment:

  • jacob
    Senior Member

  • jacob
    replied
    Originally posted by sdack View Post
    Clearly your problem is not with nftables or with firewalld. Your problem is with identifying a difference. When you cannot tell a difference, then why do you think it was save to allow traffic to pass on one network but not the other? You can certainly get hacked on either network, and especially on WiFi networks.
    You seem determined not to see the point. The difference is obvious: different WiFi access point. Nftables doesn't have that information, firewalld does and can act on it.

    Leave a comment:

  • sdack
    Senior Member

  • sdack
    replied
    Originally posted by jacob View Post
    I have written more than a little of assembly code, both on the M68K and on the x86_64. I've also written a compiler that generates x86_64 assembly. It's useful where it makes sense, for implementing algorithms it doesn't.
    I do not believe you. If you actually had then you would know that especially where performance is needed are algorithms implemented in assembly instructions. It is one of the few domains where assembly programming has always ruled over compilers.

    Leave a comment:

  • sdack
    Senior Member

  • sdack
    replied
    Originally posted by jacob View Post
    So you go to work where you connect to a 10.0.0.0/8 through Wifi. Then you get home and connect to your home Wifi, which is 10.0.0.0/8. Different zone, different requirements. How do you do that in nftables alone?
    Clearly your problem is not with nftables or with firewalld. Your problem is with identifying a difference. When you cannot tell a difference, then why do you think it was save to allow traffic to pass on one network but not the other? You can certainly get hacked on either network, and especially on WiFi networks.

    Leave a comment:

  • jacob
    Senior Member

  • jacob
    replied
    Originally posted by sdack View Post
    Here, I do. Your problem simply is that you do not know how to write assembly code and hence does it seem only more complicated to you. Why then not use an interpreter or an advanced scientific software to calculate the Nth Fibonacci number? Again, only somebody who does not know how to use either would claim the best way was to use a compiler.
    I have written more than a little of assembly code, both on the M68K and on the x86_64. I've also written a compiler that generates x86_64 assembly. It's useful where it makes sense, for implementing algorithms it doesn't.

    Leave a comment:

Working...
X