[Shorewall-users] Re: Shorewall-users digest, Vol 1 #122 - 10 msgs

Tom Eastep teastep@shorewall.net
Tue, 9 Apr 2002 08:06:28 -0700 (Pacific Daylight Time)

On Tue, 9 Apr 2002, Richard Kimber wrote:

> On Tue, 09 Apr 2002 08:38:10 -0400
> "Mark Hoover" <mhoover@nps.k12.va.us> wrote:
> > You could give most of these people a firewall ruleset that allows
> > everything throught and as long as they get a "Shorewall Started [    OK
> >   ]" they'll think they have a secure system.
> If their situation is straightforward enough and it's a good ruleset,
> presumably they will have a secure system.  It's surely only the more
> complex systems that require the extra work you refer to.  I guess I
> potentially confused the issue here by originally referring to 'newbies'.
> A newbie might in fact have any of a range of machine configurations. What
> I'm really concerned about are those people who have very simple,
> straightforward, systems where mastering a complex documentation, much of
> which doesn't apply to them, isn't justified.

This again says to me that we need better entry level documentation with
examples. I'm not objecting to the idea of easy to modify sample
configurations; what I dislike about the current samples is that they
unnecessarily try to simplify something that isn't complex to start
with and they do so by introducing a totally different configuration
interface. We are thus left with two configuration interfaces:

- The sample configurations which make it simple to do a few simple things
but impossible to do anything else. The parameterized technique does not
extend well to cover the many things that Shorewall can do.

- The native configuration interface which is very flexible but currently
imposes a steep learing curve.

I feel that by continuing to offer the current samples, I am leading
people into a dead-end solution that may serve their needs in the short
term but that will ultimately prove inadaquate.

I am going to withdraw from this debate now and spend what free time that
I have to work on the "Shorewall QuickStart Guide" that I started last

Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net