On 12/8/2010 12:55 PM, David Sommerseth wrote:
The real life situation is that iptables only works on linux and the way it works is distribution-dependent. So what you learn may lock you into a platform that may not always be your best choice.
Please educate me here. I've been using Novell SuSE Linux, RHEL/CentOS/Fedora, Gentoo, Crux Linux, RootLinux, Slackware, Ubuntu and my N900's maemo5 which is Debian based and OpenWRT based routers ... and I have not seen iptables behave differently than expected on any of these ... I don't completely understand your argument.
Some of these distroes does indeed have their own additional tools, like YaST2, ufw, system-config-firewall, etc, etc ... That will be different, but they all use iptables under the hood. I'm not talking about the simplified iptables front-end, as that *is* expected to be different.
How many of those use the same commands to start/stop/save-current-config? Where do they keep the configs? How If you deployed applications on all of them, how much time would it take to train the operators that do the install and maintenance to deal with all the variations? What if you switch to Solaris or a *bsd version? These aren't so much an issue if you use separate hardware for firewalling as when you run the host firewall on every device.
Does that mean you would not be comfortable moving your applications to SUSE, Solaris, OS X, Windows, etc.? I don't want that kind of lock-in.
When it comes to Solaris, OSX and Windows, that is not comparable, as when you base your installations on Linux, you already at that point to limit yourself somewhat.
But most applications aren't, and shouldn't be restricted to Linux. Something in java in particular is equally at home on about any OS. And most of our servers are not currently Linux.
Agreed - if it is as standard and cross-platform as Posix support you will be able to depend on it without the associated side effect of being locked to a particular OS distribution.
First of all SELinux is written for Linux. Or else it would probably have been called SEPosix.
Second, iptables is a de-facto standard for Linux, just as pf is pretty much the standard firewalling on BSD. Windows and Solaris got their own firewalling methods as well. My point is, neither of them are any Posix standards ... would you prefer to not use any of these firewall implementations due to lack of cross-platform Posix support?
I think it is fine that non-standards-conforming things exist. I just like to avoid them as much as possible myself - and certainly to avoid having them intimately intertwined with applications that would otherwise be portable.