:: Re: [DNG] networking thinking
Inizio della pagina
Delete this message
Reply to this message
Autore: onefang
Data:  
To: dng
Oggetto: Re: [DNG] networking thinking
On 2021-11-29 18:23:25, Simon wrote:
> o1bigtenor via Dng <dng@???> wrote:
>


> > 1. is my splitting the network system into the three parts a good
> > idea or should I truncate parts 1 and 2 into the router? If you would
> > please give reasons - - - please?
>
> Six of one, half a dozen of the other. Sometimes having separate boxes
> is good, other times it isn’t. For example, if you run a router doing NAT
> (on IPv4) behind a firewall, then the firewall doesn’t see details of
> where the traffic comes from - only the mangled version where it’s all
> coming from one address. On the other hand, sometimes it can be tricky
> making everything work on one box - e.g. doing traffic shaping both ways
> when there’s multiple internal networks can require an intermediate
> virtual port (an IFB, intermediate function block, in iptables
> terminology) to route traffic through and I never did get the hang of
> that.
>
> > 2. are there any good sources for information on and about networking? 
> >      debian has moved to nftables from iptables  - - - is devuan doing similar?

>
> Everything has moved, or will be moving, to nftables - it’s a kernel
> thing. There’s a shim layer to provide an iptables interface to help
> people through the transition, but I suspect it might struggle with some
> of the more complex stuff due to differences in semantics between
> iptables and nftables.
>
> >      Where does one find information to enable a firewall that works
> > yet isn't stupid?

>
> I’m afraid that’s up there with the answer to life, the universe, and
> everything - and in this case it’s not 42 ;-)
>
>
> Back when it was part of the day job, I would “sort of absorb” bits and
> pieces until I knew enough about networking to be dangerous. After that,
> it’s a case of recognising when there’s a gap in the knowledge and
> filling it through reading/research.
>
> Sometimes a good starting point is to have a specific thing you need a
> pointer to and asking others.
>
>
> In the past my preferred firewall was Shorewall - it’s quite a steep
> learning curve, but not as steep as native iptables, and not as limiting
> as most other firewalls. However, I’m not sure of it’s current status as
> it was always very tightly bound into the semantics of iptables and would
> probably need a bottom up re-write to work well with nftables.
>
> But while the learning curve can be steep when past the basics, the
> examples will let you get common setups going very quickly.
>
> But by far the biggest thing that I liked about Shorewall was the
> “everything is in a bunch of text files” approach - meaning that you can
> look at the files and see what’s going on - and, I know this will
> frighten many used to GUIs, you can put comments in the files to tell you
> what is going on ! At the same job I mention below, some of the
> fireballing was down with Zyxel appliances - all though a “rubbish” GUI
> that makes finding anything difficult and documenting it impossible.
> Almost a write-only system.


I use Shorewall to, for my home systems, and for the servers I'm looking
after. I hope they update to nftables, or I'll have to find a new
firewall.

--
A big old stinking pile of genius that no one wants
coz there are too many silver coated monkeys in the world.