On Wed, 26 Sep 2018 14:39:41 +0100 Jonathan Dowland <[email protected]> wrote:
> On Mon, Sep 24, 2018 at 08:21:55PM +0100, Joe wrote: > >And there you have the problem: it would be necessary for the > >installation of certain packages (e.g. MTA) to automatically poke > >holes in the firewall. > > We agree this far. > > > For this to be practical, a completely standardised > >iptables architecture would be necessary, with limited user > >customisation. That's how Windows does it. > > This is where we disagree. What would be needed would be a standard > interface for a package to say "open this port", that was implemented > by the iptables (say) package by default, but, if you were writing a > very DIY ruleset, you could override the iptables-package's > implementation and provide one yourself (or ignore the package hooks > if you wished). > You're only moving the problem around. Some completely standard piece of code *somewhere* has to know what is the right place to insert such a rule. I'll give you an example: neither the beginning nor the end of my INPUT chain is the right place, because I do some catch-all stuff about RELATED and INVALID at the beginning of the chain, and some assorted logging at the end. I don't want anything placed before or after those parts. In fact, the right place for my server firewall isn't in the INPUT chain at all, but in one of a few custom chains. There could be a standard custom chain in which such rules were inserted so that they all arrived at a place to suit the user, but my point is that enough such hooks must be defined and honoured to cover all reasonable use cases. This is a significant project, one which involves all IP-aware packages, and I don't think there is *yet* sufficient need to justify the resources to do it right. -- Joe
