Re: ASL 3.2.8 Firewall changes (alpha)
Posted: Wed Apr 17, 2013 8:41 am
We'll post the next iteration of changes here. And you're right, it is a really simple way to manage the list-based rules. Thats why I really liked this non-object based approach.
I used to work with extensively fwbuilder.org as a rule manager years. So the other day I went back to revisit it for inspiration. Not having used it for 7 or 8 years I assumed that great leaps and strides would have been made in usability. Not so. The entire object approach is so ingrained in "commercial" firewall tools that there has been zero innovation. Aside from supporting some new devices its basically the identical process as before.
So thats one thing... we're not going object. You'd have to take a class, or go to school to use something this mundane. People shouldnt spend so much time agonizing over something that is just barely a security tool.
ipset's (in ASL since 2.6.30.60) have potential. Being able to use match flags against giant lists deeply simplifies things like Geo or RBL's. (Example: .cn rules go from 30k entries to 1 that just says '.cn'). It could allow for port/ip tuples like the acl approach were playing with.
Other than that I like what I see in firewalld from fedora, the zone approach is especially innovative. The DBUS parts are powerful, but they scare me (exploitable? maybe) and the ability to not drop state on established connections has extreme utility in HA environments.
I used to work with extensively fwbuilder.org as a rule manager years. So the other day I went back to revisit it for inspiration. Not having used it for 7 or 8 years I assumed that great leaps and strides would have been made in usability. Not so. The entire object approach is so ingrained in "commercial" firewall tools that there has been zero innovation. Aside from supporting some new devices its basically the identical process as before.
So thats one thing... we're not going object. You'd have to take a class, or go to school to use something this mundane. People shouldnt spend so much time agonizing over something that is just barely a security tool.
ipset's (in ASL since 2.6.30.60) have potential. Being able to use match flags against giant lists deeply simplifies things like Geo or RBL's. (Example: .cn rules go from 30k entries to 1 that just says '.cn'). It could allow for port/ip tuples like the acl approach were playing with.
Other than that I like what I see in firewalld from fedora, the zone approach is especially innovative. The DBUS parts are powerful, but they scare me (exploitable? maybe) and the ability to not drop state on established connections has extreme utility in HA environments.