[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] IpTables config file for Dom0

Am Donnerstag 27 April 2006 02:30 schrieben Sie:
> Heiko Wundram wrote:
> > Huh? I don't use a GUI to manage our firewall, and that's pretty standard
> > for all organizations I know around here.
> If you had tried it, I don't think you would be going back to editing
> configuration files :-).

I did try it, more than once, and I sure as hell always went back editing 
configuration files every single time, because I felt that I could achieve my 
goal faster, and inherently less error-prone that way. ;-)

> > Using a GUI to manage a firewall (and
> > hiding the inherent complexity that a firewall always is), is more
> > errorprone than an administrator who knows what he's doing and can
> > reasonably efficiently see what parts of the system a change to the
> > firewall rules would affect,
> I don't think that's true.
> In fact, I'll bet that the non-GUI user introduces many more errors
> because he has a lack of overview in comparison to the GUI user.

That's not true. Normally, the firewall administrator will be a job with a 
dedicated person, who only takes care of the firewall, and doesn't rotate 
between several different people. The firewall administrator knows what the 
firewall looks like (at the moment), and so, it should be easy for him to 
remember the general layout of the current ruleset, and also to remember 
changes he did to that (because he probably also designed the firewall) to 
implement a new ruleset. A GUI doesn't make it easier to remember the 
ruleset; you just get icons which signify what the current ruleset basically 
looks like. That doesn't make it easier, it makes it more colorful.

> > additionally, an administrator can compute much shorter
> > rulesets than an equivalent automated tool.
> Who said anything about automated?

Have you seen what amounts of cruft FWBuilder spits out? I'd call that magic 
and automated.

--- Heiko.

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.