Hello,
----- Original Message -----
From: Mateusz Marzantowicz <mmarzantowicz(a)osdf.com.pl>
Subject: Re: About F19 Firewall
Maybe, true but I doubt that simpler set of rules, that never get
audited, written by inexperienced users are more secure than "complex"
rules in FirewallD which at last had chance to be checked.
It's not that simpler rules are more secure, but they come handy if one is to audit
them or modify them for his/her set-up. Such modifications could be merged back as user
contributions, which only helps to strengthen the tool or set of rules. The thing with
complexity is, it keeps, even the able people, away from fiddling with things which I feel
sort of beats the whole purpose. As in, if amongst all the available zones, a user is
always going to use just one everywhere, it beats the purpose of other zones and the
promise of security too, no? Worse is, people would just turn it(Firewalld) off because
they can not understand it or make it work for them.
BTW, there is not that much magic in rules applied by FirewallD and
other firewall solutions for Linux have similar level of rule complexity
(ufw, shorewall, etc.)
True. We can not avoid complexity. There are complex set-ups & networks, which need
complex rules. Firewalld as a tool would be right having features to enable a user who
wish to create such complexity and define rules for the same. But providing it by default
for individual Fedora users, who don't need it, doesn't feel right.
---
Regards
-Prasad
http://feedmug.com