[Shorewall-users] Re: Shorewall-users digest, Vol 1 #122 - 10 msgs

Tom Eastep teastep@shorewall.net
Tue, 9 Apr 2002 08:06:28 -0700 (Pacific Daylight Time)


On Tue, 9 Apr 2002, Richard Kimber wrote:

> On Tue, 09 Apr 2002 08:38:10 -0400
> "Mark Hoover" <mhoover@nps.k12.va.us> wrote:
>
> > You could give most of these people a firewall ruleset that allows
> > everything throught and as long as they get a "Shorewall Started [    OK
> >   ]" they'll think they have a secure system.
>
> If their situation is straightforward enough and it's a good ruleset,
> presumably they will have a secure system.  It's surely only the more
> complex systems that require the extra work you refer to.  I guess I
> potentially confused the issue here by originally referring to 'newbies'.
> A newbie might in fact have any of a range of machine configurations. What
> I'm really concerned about are those people who have very simple,
> straightforward, systems where mastering a complex documentation, much of
> which doesn't apply to them, isn't justified.
>

This again says to me that we need better entry level documentation with
examples. I'm not objecting to the idea of easy to modify sample
configurations; what I dislike about the current samples is that they
unnecessarily try to simplify something that isn't complex to start
with and they do so by introducing a totally different configuration
interface. We are thus left with two configuration interfaces:

- The sample configurations which make it simple to do a few simple things
but impossible to do anything else. The parameterized technique does not
extend well to cover the many things that Shorewall can do.

- The native configuration interface which is very flexible but currently
imposes a steep learing curve.

I feel that by continuing to offer the current samples, I am leading
people into a dead-end solution that may serve their needs in the short
term but that will ultimately prove inadaquate.

I am going to withdraw from this debate now and spend what free time that
I have to work on the "Shorewall QuickStart Guide" that I started last
evening.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net