Intergrated firewall - discussion /debate
- Thread starter Webcart
- Start date
ProWebUK said:Not a job of DA dont want it to be the job etc etc....
Firewall = sysadmins job
Right, firewall management is sysadmin job, just like configuring mail server, webserver, DNS and such. I don't see much difference between all those, but if you *don't want* firewall management to be DA job, that's a good explanation too
Webcart said:
DNS - without it you would have no domains linked to accounts, therefore basically website does not happen at all.
mail server = mail for the domain.... something to bring more customers that want personal mail addresses, make yourself look more professional etc...
webserver - without it no http accessable website basically!
They are core functions of a website.... things you will see with most websites.... things that will get you sales..... things that you would include under the statement 'web hosting automation' (ok thats helms slogan - although they are basically the same things!)
firewall = not something needed by customers not going to grab you customers not something thats directly anything to do with websites or individual accounts.
If you can manage a server you should be able to either a) understand software such as iptables itself / directly or b) install preconfigured scripts such as KISS / APF. If you can't do either you shouldn't be managing a server being used as a webserver
Chris
Once again, I don't think you have to provide any explanations re your reasons to support/not support specific feature.
I do, however, assume that if you choose to elaborate on the logic behind your decision, then discussion intended to offer different view or clarify yours shouldn't become personal and should be kept polite at all times.
This is all about what DA can or can't do, whatever I can do seems like offtopic here
I do, however, assume that if you choose to elaborate on the logic behind your decision, then discussion intended to offer different view or clarify yours shouldn't become personal and should be kept polite at all times.
This is all about what DA can or can't do, whatever I can do seems like offtopic here
Webcart said:Once again, I don't think you have to provide any explanations re your reasons to support/not support specific feature.
I do, however, assume that if you choose to elaborate on the logic behind your decision, then discussion intended to offer different view or clarify yours shouldn't become personal and should be kept polite at all times.
This is all about what DA can or can't do, whatever I can do seems like offtopic here
The message above was partly explanation and partly response to your comparison of firewalls with core features of DirectAdmin and its purpose.
If you missed the explanation within the message I advise you to read through it again, taking note of the purpose of DirectAdmin.
Further reasons beyong the fact its not really anything to do with DA's purpose would go in the direction of:
a) It would be of clutter to the control panel..... One of the many reasons i dislike cpanel
b) It could interfere with other firewalls (people often prefer a certain script (eg i use KISS) - others use APF or IPTables directly
Not trying to cause an argument here, rather just discussion, as much as this is my opinion, I think I may well be correct in thinking Mark and John could both possibly agree here.... at least John... I remeber a note being made somewhere a while ago basically saying DA was focussing on (and only on) the web hosting area.... not system administration which is what some seem to think.
Chris
OK, thank you for your explanation, I think it clarifies the issue completely.
Can't say I absolutely agree with that as for me denying access to IP trying DoS attacks is an integrated part of "web hosting area" as you put it, but it's definitely not something we can't manage on our own. May be we will even offer it as an add-on later
Can't say I absolutely agree with that as for me denying access to IP trying DoS attacks is an integrated part of "web hosting area" as you put it, but it's definitely not something we can't manage on our own. May be we will even offer it as an add-on later
Its already available as an 'add-on' there is a pre-configured version of KISS i have written for DA (you can install it with no additional modifications and it will run fine - I advise you to tighten it and modify it although it runs simply without any chnages)
Its a 3 step installation, the only knowledge you need is logging into terminal / SSH and if you want to make chnages you need to know how to use a text editor. pico, vi, nano etc although its not required.
The point I was trying to get across is basically a firewall is not really automating creation of websites with ease of use... its securing your server - something DA is not there to do.
I can understand the fact not everyone will understand iptables, understand that not everyone is an expert with linux and even understand not everyone knows how to use SSH..... but when you have a checklist with guides going from very basic idiot proof guides to logging into ssh then provide a 3 step / 3 command line arguments how-to guide to install a firewall and then offer help with any questions anyone has regarding the script i cant see the need for DA to spend hours intergarting a feature which is not really needed......... in most cases you will set up your firewall ensure its running and barely ever touch it again.. so why clutter up the control panel with a feature that gets used once in a lifetime also!
Chris
Its a 3 step installation, the only knowledge you need is logging into terminal / SSH and if you want to make chnages you need to know how to use a text editor. pico, vi, nano etc although its not required.
The point I was trying to get across is basically a firewall is not really automating creation of websites with ease of use... its securing your server - something DA is not there to do.
I can understand the fact not everyone will understand iptables, understand that not everyone is an expert with linux and even understand not everyone knows how to use SSH..... but when you have a checklist with guides going from very basic idiot proof guides to logging into ssh then provide a 3 step / 3 command line arguments how-to guide to install a firewall and then offer help with any questions anyone has regarding the script i cant see the need for DA to spend hours intergarting a feature which is not really needed......... in most cases you will set up your firewall ensure its running and barely ever touch it again.. so why clutter up the control panel with a feature that gets used once in a lifetime also!
Chris
Oh, I didn't realize it is already available.
I have been using RH Linux since 4.0 and had P133 with RH 6.2 as a firewall for 2 years, back then at the time when fast Internet access meant 128KB FrameRelay or ISDN
I wish things would be so easy as putting "1" into /proc/sys/net/ipv4/ip_forward, but right now I have an almost full cabinet of servers far away from me, most of them FreeBSD 5.0 and according to FreeBSD manual (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html) I need to recompile the kernel before I can move forward. Needless to say I am not in hurry to do it via SSH
If there is a magic script that can do it all, I wouldn't ask for more. I wouldn't drag you into a discussion whether it makes sense to add another "button" to have it accessible thru the web, give me a little credit here
I have been using RH Linux since 4.0 and had P133 with RH 6.2 as a firewall for 2 years, back then at the time when fast Internet access meant 128KB FrameRelay or ISDN
I wish things would be so easy as putting "1" into /proc/sys/net/ipv4/ip_forward, but right now I have an almost full cabinet of servers far away from me, most of them FreeBSD 5.0 and according to FreeBSD manual (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html) I need to recompile the kernel before I can move forward. Needless to say I am not in hurry to do it via SSH
If there is a magic script that can do it all, I wouldn't ask for more. I wouldn't drag you into a discussion whether it makes sense to add another "button" to have it accessible thru the web, give me a little credit here
Last edited:
nobaloney
NoBaloney Internet Svcs - In Memoriam †
I have my own as well now, Chris.ProWebUK said:
But where can I find yours?
Jeff
jlasman said:
Its in the checklist (link in sig) 3rd party software area or you can have a direct link
http://www.directadmin.com/forum/showthread.php?s=&threadid=1235Chris
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Thanks.
As I convert from ipchains to iptables, Kiss looks very good. We've installed it on one system and will probably install it on others.
Jeff
As I convert from ipchains to iptables, Kiss looks very good. We've installed it on one system and will probably install it on others.
Jeff
ProWebUK said:Its in the checklist (link in sig) 3rd party software area or you can have a direct link
Chris
I just checked it and it looks pretty much like RH specific script.
S2S-Robert
Verified User
I believe firewalls are too variable to include in DA, everyone wants another option, other ports opened up, different ICMP selections. If you were to include all that in DA then you have to go a great length in order to get it as detailed as you would with a custom build one.
Although perhaps viable for the future I can see much more pressing matters to be dealt with at the moment, especially since the use is limited and not widely wanted.
Although perhaps viable for the future I can see much more pressing matters to be dealt with at the moment, especially since the use is limited and not widely wanted.
Agreed
As we have just noticed - FBSD and redhat use different firewall software so that would immeditly require 2 different setups, then theres the knowledge of ports you must know etc or you go messing things up....
unless it was simple and not very tight... that would be easy to implement but at the same time pretty much not worthy.
Chris
As we have just noticed - FBSD and redhat use different firewall software so that would immeditly require 2 different setups, then theres the knowledge of ports you must know etc or you go messing things up....
unless it was simple and not very tight... that would be easy to implement but at the same time pretty much not worthy.
Chris