I am not assuming anything, seriously, spend some time learning about PF, you don't realize just how huge a difference it makes to your rulesets. We're talking 1100 rules in ipf -> 85 rules in pf. And the only kind of typos GUIs prevent are the same ones pf prevents. If you try to add a rule with a typo in the syntax it will say so. The kind of typo that's a problem is typos in the IPs, which GUIs can't prevent either.
I know they are complaing about not having a GUI, when they have never put in the time to learn what they are complaining about. Speaking as someone who has to admin ~600 machines, there's nothing special about being an overworked admin, and its no excuse to whine about something people are giving you for free, when you don't even know anything about it. "PF sucks cause they don't give me a GUI!" is an astoundingly stupid statement if you've never even used pf. Without understanding the tool, you are in no position to say what flaws it has or what other things need added. Try it out for a couple months and then talk.
No, its most certainly is not. Sparc is not open, you cannot get documentation on it without signing an NDA. Just because other companies who have been forced to sign NDAs can make sparc chips, doesn't make sparc open.
And what does DB2 or AIX have to do with anything? When did I say IBM was open? I said open is a buzzword and IBM has been taking advantage of that fact lately.
I don't recognize a good thing because its not a good thing. This isn't a difficult concept. Just because you make the claim that a GUI is somehow required and you can't function without one doesn't make it so. If you insist on claiming that open source firewall solutions aren't good enough because they don't provide a GUI, how about you back it up with some facts, instead of just insulting the people who are giving you this stuff *for free*. Talk about a "world owes me" attitude.
And its not that I am so arrogant that I never make a mistake, its that I *test* changes to see if they work, the new rulest is applied for 30 seconds to see if it works, and automatically reverted to the old rule set after that. If it did work, I update it for real. A GUI isn't going to help with this.
Interesting idea, but I don't see how. Compression algorithms work by taking duplicate pieces of data, and removing them to an index, where they can be represented by something much smaller.
They could probably make a compression algorithm specifically for text, only taking whole words into the index. It wouldn't get compression ratio's as good as more general algorithms, but it should work with your idea then.
No, its free to all licensees. People getting a derivitive work under a different license from a different place are not licencees, and if they want the original, they can get it under the BSD license. That is what free means. The GPL is not free, because I can't do whatever I want with it. Public domain is free, in every definition of the word. BSD is obviously closer than GPL. The GPL is only free if you redefine free to mean what a crazy whackjob wants it to mean for his propoganda.
And none of the reasons you provide have anything to do with GUI. All of the things you are talking about are already dealt with by existing tools that any remotely competant admin already uses for their servers.
You think apache isn't as good as IIS because they don't have a GUI too? Oh, wait, there are *THOUSANDS* of tools to manage, edit, and distribute text based config files. Its no more difficult to admin dozens of firewalls than it is to admin dozens of webservers.
Learn to do your job instead of trying to pretend you need something else to be able to do it. There are plenty of existing tools out there, if you seriously aren't happy with any of them, then maybe you should do your part and write whatever tool you need.
Seriously, aren't listening. You don't have to enter the same rule and object definitions over and over, that's exactly what I am saying. You make a single template, and then any firewall from there is just changing some variables like $ext_if or $local_net. Plus there are lots of things you don't have to do with pf, like making a whole set of rules to stop spoofing, with pf you can just do antispoof on $ext_if.
I am not complaining about a GUI tool, I am saying the parent poster is dumb for complaining about the lack of a GUI, when he hasn't even bothered to learn how the thing works, to see if he even needs one.
Sparc is supposed to be an open architecture already, but that's clearly not the case. You need to keep in mind that "open" is a buzzword now, it could just be IBM looking for a way to get more attention.
Everything that you send over the network is correct endian too. Because x86 is backwards, it has dedicated byte-swapping instructions so its quite fast to go from little endian to big and the other way around.
So what you're saying is "I don't want to do my job, cause that's too much work."? Seriously, if you can't be bothered to read the documentation, and learn to use a piece of software, then don't use it.
If you had bothered to read some pf docs, you'd realize a GUI isn't going to help you. PF has literally the easiest to use, most helpful syntax around, and if you have a long pf.conf, then you are doing something wrong, it supports variables and macro expansion. The default config file has all sorts of commented out examples for you so you can't forget the syntax. There is absolutely no benefit to a GUI at all, its as easy to configure as it can possibly be. Adding another service to potentially be exploited, allowing remote administration of fw rules is not a smart move for a device who's sole purpose is security.
What an arrogant attitude, "sure, I could read the docs and learn to use the software that is securing our network, but I shouldn't have to. It should just magically work on its own.". If you don't spend the time reading the docs, you will likely impliment incorrect or at least inefficient rulesets using a gui tool anyways. Does your boss realize that you don't think learning to use the tools protecting his company is worth your time?
How something so blatently stupid is modded insightful I can't imagine. Seriously, openbsd has had only 1 remote hole in 7 entire years with its defaults. This is a factual public record of how good their defaults are, and you think that's not as good as net? Get real.
Its very clearly open. Code is being audited all the time, daemons are being modified to run with priviledge seperation, setuid root programs are almost non-existant now on open. Then on top of that, there is the non-executable stack, propolice, and W^X protection of memory pages, and stack gap randomization. The first things make exploits much less likely, and the second make it very difficult to successfully exploit something that has an exploitable bug. Anyone who pretends netbsd is more secure is delusional or lying to you.
Slashdot Mirror
I am not assuming anything, seriously, spend some time learning about PF, you don't realize just how huge a difference it makes to your rulesets. We're talking 1100 rules in ipf -> 85 rules in pf. And the only kind of typos GUIs prevent are the same ones pf prevents. If you try to add a rule with a typo in the syntax it will say so. The kind of typo that's a problem is typos in the IPs, which GUIs can't prevent either. I know they are complaing about not having a GUI, when they have never put in the time to learn what they are complaining about. Speaking as someone who has to admin ~600 machines, there's nothing special about being an overworked admin, and its no excuse to whine about something people are giving you for free, when you don't even know anything about it. "PF sucks cause they don't give me a GUI!" is an astoundingly stupid statement if you've never even used pf. Without understanding the tool, you are in no position to say what flaws it has or what other things need added. Try it out for a couple months and then talk.
No, its most certainly is not. Sparc is not open, you cannot get documentation on it without signing an NDA. Just because other companies who have been forced to sign NDAs can make sparc chips, doesn't make sparc open. And what does DB2 or AIX have to do with anything? When did I say IBM was open? I said open is a buzzword and IBM has been taking advantage of that fact lately.
I don't recognize a good thing because its not a good thing. This isn't a difficult concept. Just because you make the claim that a GUI is somehow required and you can't function without one doesn't make it so. If you insist on claiming that open source firewall solutions aren't good enough because they don't provide a GUI, how about you back it up with some facts, instead of just insulting the people who are giving you this stuff *for free*. Talk about a "world owes me" attitude.
And its not that I am so arrogant that I never make a mistake, its that I *test* changes to see if they work, the new rulest is applied for 30 seconds to see if it works, and automatically reverted to the old rule set after that. If it did work, I update it for real. A GUI isn't going to help with this.
Interesting idea, but I don't see how. Compression algorithms work by taking duplicate pieces of data, and removing them to an index, where they can be represented by something much smaller.
They could probably make a compression algorithm specifically for text, only taking whole words into the index. It wouldn't get compression ratio's as good as more general algorithms, but it should work with your idea then.
No, its free to all licensees. People getting a derivitive work under a different license from a different place are not licencees, and if they want the original, they can get it under the BSD license. That is what free means. The GPL is not free, because I can't do whatever I want with it. Public domain is free, in every definition of the word. BSD is obviously closer than GPL. The GPL is only free if you redefine free to mean what a crazy whackjob wants it to mean for his propoganda.
And none of the reasons you provide have anything to do with GUI. All of the things you are talking about are already dealt with by existing tools that any remotely competant admin already uses for their servers.
You think apache isn't as good as IIS because they don't have a GUI too? Oh, wait, there are *THOUSANDS* of tools to manage, edit, and distribute text based config files. Its no more difficult to admin dozens of firewalls than it is to admin dozens of webservers.
Learn to do your job instead of trying to pretend you need something else to be able to do it. There are plenty of existing tools out there, if you seriously aren't happy with any of them, then maybe you should do your part and write whatever tool you need.
Seriously, aren't listening. You don't have to enter the same rule and object definitions over and over, that's exactly what I am saying. You make a single template, and then any firewall from there is just changing some variables like $ext_if or $local_net. Plus there are lots of things you don't have to do with pf, like making a whole set of rules to stop spoofing, with pf you can just do antispoof on $ext_if. I am not complaining about a GUI tool, I am saying the parent poster is dumb for complaining about the lack of a GUI, when he hasn't even bothered to learn how the thing works, to see if he even needs one.
Readable text compresses well, but compressed text is hard to search, which they say you can do.
Sparc is supposed to be an open architecture already, but that's clearly not the case. You need to keep in mind that "open" is a buzzword now, it could just be IBM looking for a way to get more attention.
Everything that you send over the network is correct endian too. Because x86 is backwards, it has dedicated byte-swapping instructions so its quite fast to go from little endian to big and the other way around.
So what you're saying is "I don't want to do my job, cause that's too much work."? Seriously, if you can't be bothered to read the documentation, and learn to use a piece of software, then don't use it. If you had bothered to read some pf docs, you'd realize a GUI isn't going to help you. PF has literally the easiest to use, most helpful syntax around, and if you have a long pf.conf, then you are doing something wrong, it supports variables and macro expansion. The default config file has all sorts of commented out examples for you so you can't forget the syntax. There is absolutely no benefit to a GUI at all, its as easy to configure as it can possibly be. Adding another service to potentially be exploited, allowing remote administration of fw rules is not a smart move for a device who's sole purpose is security. What an arrogant attitude, "sure, I could read the docs and learn to use the software that is securing our network, but I shouldn't have to. It should just magically work on its own.". If you don't spend the time reading the docs, you will likely impliment incorrect or at least inefficient rulesets using a gui tool anyways. Does your boss realize that you don't think learning to use the tools protecting his company is worth your time?
How something so blatently stupid is modded insightful I can't imagine. Seriously, openbsd has had only 1 remote hole in 7 entire years with its defaults. This is a factual public record of how good their defaults are, and you think that's not as good as net? Get real.
Its very clearly open. Code is being audited all the time, daemons are being modified to run with priviledge seperation, setuid root programs are almost non-existant now on open. Then on top of that, there is the non-executable stack, propolice, and W^X protection of memory pages, and stack gap randomization. The first things make exploits much less likely, and the second make it very difficult to successfully exploit something that has an exploitable bug. Anyone who pretends netbsd is more secure is delusional or lying to you.