[kde-linux] Re: Alternative to Guarddog

[Duncan]

David Baron posted on Thu, 28 Jul 2011 23:27:29 +0300 as excerpted:

> With the 3.0 kernels, ipchains is no longer supported. Apparently
> guarddog used ipchains to run iptables or some such scheme.

Are you sure it was with kernel 3.0?  Or was it perhaps with 2.6.39 or 
something, if you didn't try it?  Because Linus' announced policy with 
3.0 was that it was just another version and that they were *NOT* taking 
the opportunity to remove any long deprecated functionality, etc.  Plus, 
they apparently took some pains to ensure that they didn't introduce as 
many possibly externally disruptive changes (other than the switch to 3.x 
itself) as usual, as well, so the 3.0 development process was rather 
calmer than that for many recent kernels... with the exception of a 
couple rcu bugs found and fixed at the last minute (tho even there, at 
least one of those was from an earlier kernel, so it wasn't a 3.0 
regression they were fixing), that delayed release by about three days.  
Further, I run git kernels and followed the 3.x development process a bit 
closer than usual, and didn't see notice any commits mentioning killing 
ipchains support while reading git whatchanged logs, tho those logs are 
certainly voluminous enough and I'm inexpert enough that I might well 
have missed it.

OTOH, it could well be that certain long deprecated user-space software 
(like anything still depending on ipchains?) that was hard-coded for a 
2.x kernel was simply dropped, rather than re-coding the hard-coded 2.x 
assumption.

So my question is, are you sure it's due to 3.x dropping ipchains support 
or was it dropped earlier (say for 2.6.39) and you simply didn't install 
any kernels since then until 3.0, or is it simply an artifact of already 
deprecated userspace hardcoding 2.x assumptions, with the software now 
simply dropped rather than recoding it to allow 3.x kernels too, or ???

And if it is indeed a deliberate drop of functionality within the 3.0 
kernel specifically, could you provide a link?  Because that's new info 
to me, and I'd like to be able to authoritatively state it to others 
should it come up again, in the future.  Obviously "because someone 
claimed it on a list" doesn't fulfill the authoritative requirement, 
while a link to a statement to that effect by the recognized subsystem 
maintainer would be rather more impressive, indeed. =:^)

> Is there something that I can use now with a comprehensible GUI that
> will read the guarrdog iptables rules to start out? (I found fwbuilder
> incomprehensible.)

FWIW, YMMV, personal experience may differ, etc.  However:

I never could properly get my head around any of the Linux firewalling 
software that "made the process easier", myself, but when I finally tried 
iptables itself (CLI, obviously, non-GUI), I actually found it 
surprisingly easy to understand and to create rules doing what I needed 
it to do.

So if you're at all comfortable at the CLI, I'd definitely recommend that 
you consider trying IPTables itself, instead of simply writing it off 
because you couldn't manage supposedly "easier" IPTables helpers.  Of 
course, if you don't use the command line at all, that's not particularly 
suited to being the first thing you try, but at least here, with some 
reasonable command-line experience, iptables itself was easier to grasp 
than all the supposedly easier "helpers" I tried, for sure, and it may 
well surprise you how easy it is, if you've tried the others and simply 
couldn't grok them.

I don't claim to be an iptables expert by any means, and I do need to 
refer to the manpages again when I make anything but trivial changes, but 
for me it's certainly easier to work with than the supposedly simpler 
stuff was, for sure, and I get the job done.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman