Originally posted by jacob
View Post
Announcement
Collapse
No announcement yet.
Firewalld 1.0 Released With Big Improvements
Collapse
X
-
Originally posted by Chugworth View PostThe difference is, working with nftables is not so hard.
- Likes 7
Comment
-
Originally posted by Chugworth View PostWouldn't it be better to just learn how to manage nftables than learn how to manage a service that manages nftables?
No amount of abstractions and conveniences will help when it comes to security. Understanding the fundamentals is always key and to think there was a convenient way around it is the first step to making a mistake.Last edited by sdack; 23 July 2021, 01:11 AM.
- Likes 4
Comment
-
Originally posted by jacob View PostWouldn't it be better to learn assembly than learn a language that compiles to assembly?
Wouldn't it be better to learn how to set the colours of pixels on the screen than learn an API that renders pixels on the screen?
Wouldn't it be better to learn how to send/receive ethernet frames rather than use application-level protocols that send and receive ethernet frames?
In a similar way does your comparison to Ethernet frames fail, because there is not one frame for all, but many different frames doing many different things. In your comparison does Firewalld become the one Ethernet frame that does it all, which it is not. Firewalld is only as powerful as nftables allows it to be.
To compare nftables to setting pixels and to say it was not an API is just as wrong. nftables is the API to setting firewall rules within the kernel. It then does not make sense to always use OpenGL or Vulkan to draw a pixel, a line or to render a video on a screen either when more appropriate and more direct rendering APIs are available. This is even more true in graphics where every level of abstraction can introduce unwanted delays.Last edited by sdack; 23 July 2021, 01:47 AM.
- Likes 3
Comment
-
Originally posted by jacob View PostIt's also not suitable for use on a laptop or mobile device where you can roam between zones and use cases all the time.Last edited by sdack; 23 July 2021, 01:58 AM.
- Likes 3
Comment
-
Originally posted by sdack View PostCompilers help when you want to write code for many different CPUs and where you would have to learn many different assembly dialects and instruction sets. Compilers also help with the size of code and make large projects more manageable. However, when you only have one dialect, one instruction set and the problem you want to solve can be packed into a few thousand lines then the advantages of compilers diminish and their complexity becomes their disadvantage.
- Likes 5
Comment
-
Originally posted by sdack View PostIt actually is. When you can implement your firewall rules for different zones into one nftable ruleset then you will be better off than using an application, which first needs to determine the zone you are in before it changes a ruleset. Because when you can do it in one nftables ruleset then all roaming is handled directly within the kernel and not in user space, leaving you without a roaming delay and no security gap. Ideally do you want firewalld to create you one permanent ruleset for all cases, and not have it switch around multiple sets and force you to manage multiple sets, which possibly share common features.
Comment
-
Originally posted by jacob View PostReally? Show me someone who, when they want to calculate the Nth Fibonacci number, would prefer to code it in assembly rather than dealing with the "complexity" of the compiler.
- Likes 2
Comment
Comment