Selective connection tracking - to be or not to be? :)
bof@oknodo.bof.de
bof@oknodo.bof.de
Fri, 7 Jul 2000 20:36:21 +0200 (MEST)
> So, what I am trying to say? Easy - "Computers should not think, they should
> do _exactly_ we want". No option in case of conntrack is something like
> "Users are too stupid to manage their computers". Yes, most of the time it is
> true :), but usually firewalls are configured by someone who has enough
> knowledge and/or experience to not misuse the power.
For the record, I agree with all of what you said. However, I also respect
Rusty's choice, as the packages principal author and _maintainer_, to keep
supportability in mind. May his choices be wise.
We can always start a 'dangerous netfilter stuff' extra distribution,
if we like. There are a lot of things where iptables may be "nicer" with
not much addition to the code. For example, I'll test a small mod to make
the LOG target usable as a match, too. But, this will potentially confuse
people (and they are confused about yet another packet filtering switch,
anyway), so I don't expect it to be included in the standard distribution
any time soon.
Rusty, Marc: any chance you create a 'dangerous stuff nobody needs' section
on netfilter.kernelnotes.org, where we may place such things?
regards
Patrick