I have been watching the progress of the new LEAF configuration
mechanism with some interest and while I haven't had the time to follow
the various threads closely, I have formed some impressions and I have
some concerns.
From what I understand, the new configuration system relies heavily on
(attribute,value) pairs. The idea seems to be to define these pairs
centrally and then propagate them into the various packages using some
sort of configuration API.
In one of my weaker moments, I introduced (attribute,value) pairs into
Shorewall configuration management and it was a disaster. The idea was
similar to today's sample Shorewall configurations but in my braindead
implementation, each sample configuration included an
/etc/shorewall/params file that tried to parameterize the user's entire
Shorewall configuration via (attribute,value) pairs.
The notion worked extremely well for first-time users with simple
requirements -- they were able to get their first firewall working very
easily and were very happy; UNTIL... they had to make their first
configuration change where I hadn't included an (attribute,value) pair
that expressed their particular requirement.
These users were then left with the choice of:
a) Pleading to me for help.
b) Trying to understand BOTH the standard Shorewall configuration method
AND my parameterizing scheme so they could extent the latter to conform
to the former.
c) Abandoning the (attribute,value) method of configuration and using
the native Shorewall configuration technique.
My conclusion was that the native Shorewall configuration method (table
oriented) was the correct one for ALL users even if it required a bit
more understanding on the part of the user to get their first firewall
running. And that requirement for understanding Shorewall configuration
has been largely ameliorated by the availability of the sample
configurations and the QuickStart Guides.
The bottom line is that (attribute,value) configuration is much less
flexible than the table-oriented configuration technique supported by
Shorewall and by reducing Shorewall configuration to (attribute,value)
pairs, you confine yourself to a very limited set of firewall
applications. When users outgrow that limited set, they must undergo a
paradigm shift and use a totally different configuration method.
As I said at the outset, these impressions/concerns are formed from an
understanding of the current proposals that is far from complete.
Corrections and criticisms are welcome...
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://www.shorewall.net
Washington USA \ [EMAIL PROTECTED]
-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel
