[plug] Routing and firewalls

Thu Feb 22 08:49:05 AWST 2024

This discussion around GUI vs CLI is as old as I am - more or less - and
I'm not sure it's as simple as having a GUI abstraction to increase uptake.
I have been using both environments for most of my career and as far as I
can tell it's always about what works best for any particular problem.

The most visible place this was brought home to me was a decade or more ago
when I was evaluating KDE vs GNOME by running two plain desktops
side-by-side in identical virtual machines. I wasn't interested in
performance metrics, I was looking to learn what the useability differences
were.

It was at the time a stark contrast between the two. Most notable was the
Control Panel environment. Under GNOME you had access to a limited number
of buttons and preferences. A screen would typically have no more than a
dozen, more often less than that, settings and options for things like
screen rendering, panels, edge detection, etc. Under KDE it appeared that
pretty much every single option was visible in the GUI, making for pages
and pages of settings that most users would never need or want and as a
power user myself, I still didn't need or want.

The point is that GUI abstraction is about finding a balance between
usability and functionality and I think that's the precise point where we
run into issues with things like firewalls. There's always going to be the
top-10 things people want to achieve with their firewall, those can well go
into a GUI, but if that prevents someone doing something that is
unexpected, then you've essentially killed off that functionality, even
though the underlying system is perfectly capable of achieving it.

One potential method is to use a GUI to generate a text configuration that
can be edited in a text-editor and that doesn't get overwritten by the GUI
when edited later. You can put this into a git repository and track
changes, because changes are where 99.99% of the mistakes happen - after
initial configuration.

While a dumbing down of complex concepts can be achieved by a GUI, I don't
think that security and productivity are actually increased by hiding
complexity. Some things ARE complex and pretending that they are not is
going to bite you every time.

o

On Thu, 22 Feb 2024 at 08:07, Brad Campbell <brad at fnarfbargle.com> wrote:

> On 22/2/24 08:02, Dean Bergin wrote:
> > Hello Bill,
> >
> > Thanks for sharing.
> >
> > As a network engineer, I'm not normally exposed to these sorts of tools
> (I normally operate on commercial grade/proprietary products like firewalls
> or routers) so I often don't see much value in operating a host-level
> firewall unless it's a server and/or said server participates in routing
> and/or carries data plane traffic and you don't trust upstream.
> >
>
> G'day Fred ;)
>
> Yes in this case the devices in question are among other things acting as
> firewalls and routers. One of the next items on my todo list is to put a
> proper firewall/router in place so these machines are further from the
> "world".
> While I like the idea of a GUI abstraction, this particular case is one
> where there is a pretty robust and flexible GUI in place (new OpenWRT),
> however it doesn't have the flexibility to put the rules in place I need.
> At least with direct access I can build the rules manually rather than
> relying on the GUI to do it for me.
>
> Regards,
> Brad
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
>

-- 
Onno Benschop

()/)/)()        ..ASCII for Onno..
|>>?            ..EBCDIC for Onno..
--- -. -. ---   ..Morse for Onno..

If you need to know: "What computer should I buy?" http://goo.gl/spsb66

ITmaze   -   ABN: 56 178 057 063   -  ph: 04 1219 8888   -
onno at itmaze.com.au
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20240222/8fac7ce8/attachment.html>