[kde-linux] Re: Alternative to Guarddog
1i5t5.duncan at cox.net
Fri Jul 29 02:12:27 UTC 2011
David Baron posted on Thu, 28 Jul 2011 23:27:29 +0300 as excerpted:
> With the 3.0 kernels, ipchains is no longer supported. Apparently
> guarddog used ipchains to run iptables or some such scheme.
Are you sure it was with kernel 3.0? Or was it perhaps with 2.6.39 or
something, if you didn't try it? Because Linus' announced policy with
3.0 was that it was just another version and that they were *NOT* taking
the opportunity to remove any long deprecated functionality, etc. Plus,
they apparently took some pains to ensure that they didn't introduce as
many possibly externally disruptive changes (other than the switch to 3.x
itself) as usual, as well, so the 3.0 development process was rather
calmer than that for many recent kernels... with the exception of a
couple rcu bugs found and fixed at the last minute (tho even there, at
least one of those was from an earlier kernel, so it wasn't a 3.0
regression they were fixing), that delayed release by about three days.
Further, I run git kernels and followed the 3.x development process a bit
closer than usual, and didn't see notice any commits mentioning killing
ipchains support while reading git whatchanged logs, tho those logs are
certainly voluminous enough and I'm inexpert enough that I might well
have missed it.
OTOH, it could well be that certain long deprecated user-space software
(like anything still depending on ipchains?) that was hard-coded for a
2.x kernel was simply dropped, rather than re-coding the hard-coded 2.x
So my question is, are you sure it's due to 3.x dropping ipchains support
or was it dropped earlier (say for 2.6.39) and you simply didn't install
any kernels since then until 3.0, or is it simply an artifact of already
deprecated userspace hardcoding 2.x assumptions, with the software now
simply dropped rather than recoding it to allow 3.x kernels too, or ???
And if it is indeed a deliberate drop of functionality within the 3.0
kernel specifically, could you provide a link? Because that's new info
to me, and I'd like to be able to authoritatively state it to others
should it come up again, in the future. Obviously "because someone
claimed it on a list" doesn't fulfill the authoritative requirement,
while a link to a statement to that effect by the recognized subsystem
maintainer would be rather more impressive, indeed. =:^)
> Is there something that I can use now with a comprehensible GUI that
> will read the guarrdog iptables rules to start out? (I found fwbuilder
FWIW, YMMV, personal experience may differ, etc. However:
I never could properly get my head around any of the Linux firewalling
software that "made the process easier", myself, but when I finally tried
iptables itself (CLI, obviously, non-GUI), I actually found it
surprisingly easy to understand and to create rules doing what I needed
it to do.
So if you're at all comfortable at the CLI, I'd definitely recommend that
you consider trying IPTables itself, instead of simply writing it off
because you couldn't manage supposedly "easier" IPTables helpers. Of
course, if you don't use the command line at all, that's not particularly
suited to being the first thing you try, but at least here, with some
reasonable command-line experience, iptables itself was easier to grasp
than all the supposedly easier "helpers" I tried, for sure, and it may
well surprise you how easy it is, if you've tried the others and simply
couldn't grok them.
I don't claim to be an iptables expert by any means, and I do need to
refer to the manpages again when I make anything but trivial changes, but
for me it's certainly easier to work with than the supposedly simpler
stuff was, for sure, and I get the job done.
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman
More information about the kde-linux