openSUSE Linux 12.1: Create a new firewall.
More details:
What is the idea of joining it? Based on ideas or based on software? Why it will be better than in example iptables?
And what the hell is doing there CiscoISO?
rysic,
Some rules of Cisco IOS are interesting.
My suggestion is to complement what exists, to get better.
Some rules of Cisco IOS are interesting.
I challenge that you are qualified to make any such assessment.
jengelh,
I’m just a contributor to the openSUSE Linux.
This feature of Cisco IOS is interesting: Standard Access Control List - Wikipedia, the free encyclopedia
On Sun, 07 Aug 2011 02:16:02 +0000, genixinfo wrote:
> I’m just a contributor to the openSUSE Linux.
One might argue that without specifics, the “contributions” don’t have
much meaning.
IOS might have some interesting features, but pointing that out isn’t a
feature request or an enhancement request.
Explaining what deficiencies in the existing firewall model it could help
solve would be a useful contribution.
Until then, it’s just raw information. I can say the sun is bright, but
that doesn’t tell anyone how that information is useful in making a
better openSUSE (or even if it does).
Do you see what I’m getting at?
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
A bit of friendly advice - the way that you have done this, so far, is unlikely directly to lead to any progress.
Firstly, you have to say something about what you intend to improve - do you believe that iptables is too difficult to use, do you believe that something about iptables makes it technically incapable of some features that you think are desirable, do you believe something about the change(s) that you suggest would make execution more efficient, so that performance will be better? And. of course, why improving that particular aspect is important, and why, if your changes conflict with any thing else, why your suggestions are so important that they should damage the prospects for other improvements.
When you have listed those, people will try to pull what you say to pieces; that is if you claim an efficiency improvement would be the result of some changed approach, people will want to examine:
and similarly for the other putative improvements. Obviously, there is a danger that you could come up with something that could be a usability improvement, but which has the potential to reduce efficiency, and it would be a matter of debate as to whether that would be an improvement, overall, or not.
What you have done is just to list other firewalls (actually, that is not really correct - a number are not genuinely firewalls), a couple of which are not even compatible with Linux. This isn’t really helping anybody - if you were to say, for example, iOS has this particular nominated feature, it allows you to do some specified thing that is not currently possible, this is the reason that you could need it, then that would be something that could be debated. Just a big list of other firewall systems and we don’t know what specific features you mean, why you think that those particular features are vital for the development of iptables.
Right now, it may be possible to achieve what you want by existing modules (or, alternatively, specifically written modules) and that would be an approach that would have a lower potential for breaking existing configurations, and so would be considered more desirable, unless there were other disadvantages for that approach. But, given that you don’t specify what you want, it is currently not feasible to discuss whether new, or existing, ‘modules’ can do it.
On 08/07/2011 04:53 AM, Jim Henderson wrote:
>
> Do you see what I’m getting at?
imo: exceedingly doubtful…
tilting at a windmill.
–
DD
openSUSE®, the “German Engineered Automobiles” of operating systems!
I have no pseudocode, I do not want to generalize.
On the Firewall, I can summarize what is necessary in certain items:
Increase defense for Denial of Service (DoS).
Monitor and report any changes that interfere with the security of the system, through e-mail and SMS, it also includes the feature: 312714
Create a user interface for various configuration profiles:
1 - Automatic: Auto-configuration
2 - Basic: easy and fast to use
3 - Advanced: more options
Add all components of the Interactive Firewall:
netfilter modules to detect intrusions
a new netfilter target, IFWLOG
iptables
ipset
shorewall (default)
mandi, a root socket to user apps bridge, using D-Bus
net_applet, which receives alerts
drakids, a blacklist/whitelist management tool
And add all the components of the Dynamic Firewall.
On Tue, 09 Aug 2011 19:36:02 +0000, genixinfo wrote:
> I have no pseudocode, I do not want to generalize.
…]
> Increase defense for ‘Denial of Service (DoS)’
> (http://en.wikipedia.org/wiki/Denial-of-service_attack).
Too generalized. HOW would you do this, what functionality is missing?
> Monitor and report any changes that interfere with the security of the
> system, through e-mail and ‘SMS’ (http://en.wikipedia.org/wiki/SMS), it
> also includes the feature: ‘312714’
> (https://features.opensuse.org/312714)
Any changes such as what? (Oh, and it’s not necessary to link to
Wikipedia for definitions for common terms like SMS, we know what that
means).
> Create a user interface for various configuration profiles:
>
>
> 1 - Automatic: ‘Auto-configuration’
> (http://en.wikipedia.org/wiki/Auto-configuration)
>
> 2 - Basic: easy and fast to use
>
> 3 - Advanced: more options
Such as what? Again, far too generic and lacking in actionable data.
> Add all components of the ‘Interactive Firewall’
> (http://wiki.mandriva.com/en/Projects/Interactive_Firewall):
>
> netfilter modules to detect intrusions a new netfilter target, IFWLOG
> iptables
> ipset
> shorewall (default)
> mandi, a root socket to user apps bridge, using D-Bus net_applet, which
> receives alerts
> drakids, a blacklist/whitelist management tool
To what end, what is the goal, and what specific components or features
in these tools are not present in the current firewall? Specifics are
necessary, not just “combine all this stuff into one superfirewall” -
that’s not actionable and as I’ve said before, far out of the realm of
reality of actually happening because of the size and complexity of each
of these individual projects.
Unless you have some coding skills, in which case, start writing patches
and contribute code.
> And add all the components of the ‘Dynamic Firewall’
> (http://fedoraproject.org/wiki/Features/DynamicFirewall).
Again, why? To what end? What functionality in this firewall is not
present in the existing firewall? You’re not being specific at all -
you’re generalizing to the point of the feature requests not being useful.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
I’m not really much of a “coder” but I do hack around from time to time, I am familiar with some of the applications genixinfo writes of.
To what end, what is the goal, and what specific components or features
in these tools are not present in the current firewall? Specifics are
necessary, not just “combine all this stuff into one superfirewall” -
that’s not actionable and as I’ve said before, far out of the realm of
reality of actually happening because of the size and complexity of each
of these individual projects.
The specific feature that I would be interested in would be some kind of immediate notification that a specific host is attempting to gain access to your machine. This collection of programs also allows for immediate “blacklisting” of a particular host or IP address as well.
Just saying…