On Thu, Mar 1, 2018 at 8:48 PM, Walter Dnes <waltd...@waltdnes.org> wrote: > On Thu, Mar 01, 2018 at 12:58:44PM -0500, Tom H wrote >> On Wed, Feb 28, 2018 at 4:15 PM, Walter Dnes <waltd...@waltdnes.org> wrote: >> > >> > Is there something besides iptables? It seems to be like >> > systemd/perl/python, continuously expanding its scope. And no, I'm not >> > looking for an "easy-peasy front-end gui" that'll probably pull in 90% >> > of QT as dependancies. I fondly remember IPCHAINS. >> >> iptables doesn't depend on systemd, perl, or python. > > It has become an all-in-one router/packet-mangler/firewall/QOS/etc > when I simply want a firewall. The required kernel entries have > increased simply for the firewall functionality. >
Has it really changed that much for the same requirements? Google suggests that blocking a port is still a one-liner. They've certainly added a lot of functionality, but as far as I'm aware you don't have to use most of it to just filter packets. In any case, netfilter is entirely in the kernel, so you're going to be using it one way or another if you want to use linux. Using a front-end is the easiest way to go with it. I don't really see that Linus has much choice but to accept more scope unless he wants to move netfilter out into userspace, since I'm sure some people need those features and he hasn't really given them any other way to have them. If they did move netfilter to userspace, then it would probably end up working a lot more like dbus, I'm sure that would make you happier... It would enable you to use an alternative implementation, though. Not that anybody will bother to write one because it is easier to let RedHat do all the work. That is generally how most of these things go. Nobody really kills off the ability for a simple tool to work. However, what does happen is that somebody comes up with a fancier tool that covers more edge cases, then all the distros adopt it, because they're shipping it all preconfigured so it isn't that big a deal if the new solution requires 35 configuration files since it isn't like their end-users are editing those files directly. Then more software ends up taking advantage of some of the features offered by this tool, and it becomes harder to avoid using it. If anything netfilter staying in the kernel and picking up all those other features is probably going to be more to your taste than the alternatives... -- Rich
