On Mon, Sep 24, 2018 at 08:21:55PM +0100, Joe wrote:
And there you have the problem: it would be necessary for the installation of certain packages (e.g. MTA) to automatically poke holes in the firewall.
We agree this far.
For this to be practical, a completely standardised iptables architecture would be necessary, with limited user customisation. That's how Windows does it.
This is where we disagree. What would be needed would be a standard interface for a package to say "open this port", that was implemented by the iptables (say) package by default, but, if you were writing a very DIY ruleset, you could override the iptables-package's implementation and provide one yourself (or ignore the package hooks if you wished).
Fine for Brian, and others who use no firewall at the moment, not so good for anyone with an existing hand-made set of iptables rules. My netbook, for example, has three sets of rules which are selected according to the environment and whether a VPN is in use. My server has a set of rules appropriate to a network firewall plus VPN server, with suitable named chains and 'subroutine' structure. All of this would be swept away by a standard firewall structure, and would need to be rebuilt in conformance with the standard. Such a standard would have to encompass all possible use-cases, including multiple NICs and multiple VPN arrangements. Any volunteers?
The approach I outline above would mean you would have the choice of reworking your configuration to work in harmony with the new arrangement, or override and ignore it, and continue as you are. -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland ⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net ⠈⠳⣄⠀⠀⠀⠀ Please do not CC me, I am subscribed to the list.
