[Firewall] 2.0.1 on debian squeeze?

Norbert Gerhards n.gerhards at ib-gerhards.de
Mon Feb 27 18:40:00 CET 2012

Hi Intense Red,

first of all: Thanks for the time you spend on my questions!

Am 27.02.2012 15:40, schrieb Intense Red:
>> What I miss though is the file debconf.cfg, because that seemed
>> to me a nice abstract of firewall.conf, easier to find and edit
>> things.
>     It sounds to me like you're mixing the Arno's tarball *and* Debian's *.deb
> package. I wouldn't do that; I'd choose one or the other.

No, not really. I used AIF on a debian lenny system as the standard deb

Now it was my well thought decision, to give the tarball a try with
setting up a new server system, because the 2.x release supports ipv6
better than the 1.8 branch.

>     The Debian package is modified to fit Debian's policies and standard file
> locations -- that's great, and adds some standardization and Debian, and of
> course it's easily manipulated with dpkg and apt-get.
>     The drawback of the Debian package is that it may not be the latest version
> of the software. Debian's policy regarding its major "stable" releases of
> Debian clearly draws a line between "bug (or security) software fixes" and
> "feature/version software upgrades". This makes sense from a software
> development and stability standpoint, but it's not what most people are
> conditioned to expect. Most people don't think in term of whether an upgrade
> is a feature upgrade or a bug-fix upgrade.
>     The good news is that under this scheme Debian's package maintainer is
> expected to "backport" bug/security fixes to the older software in the Debian
> stable release. This can make for some odd program version numbering schemes.
> For example, the Debian package might be Program ver. 3.23Debian4 whereas the
> upstream program is Program ver. 4.0, with the Debian version including bug
> fixes from the later version 4 program.
>     My own preference for frequently changing programs like web apps or
> something like Arno's firewall, is to not use the Debian package. These types
> of programs are pretty independent and easily upgraded, and often I want the
> latest-greatest upstream version, so I'll not use the Debian *.deb and will
> just use the author's released tarball.
>     For Arno's firewall, it's sanely designed and easily installed or removed,
> and it doesn't play around with other parts of the Debian system -- very well
> behaved. Thus, it's easy to install, uninstall and reinstall when a new
> version is released.

I think AIF is a quite 'independent' piece of iptables software, so
that missing the convenient way of apt-get and so on seemed to be no
problem for me.

I simply didn't know that debconf.cfg was more like a fruit of the
debian packageing process.

I used to read and work through the whole firewall.conf anyway.  ;-)

>     If you view it a requirement to use Debian's debconf.cfg, if it were me,
> I'd just then ignore and not install the tarball, and would rely on the *.deb
> and  the *.deb's package maintainer to ensure that he's backporting fixes and
> keeping my firewall secure (though it might not be fully up-to-date in terms of
> features).

No, as I stated before: i wanted the features of 2.0.1 and therefore
decided to give the tarball a try.
I only had never before done such an import of software.

Now, with the experience of the - in Arno's AIF case - really smooth
setup, I even give other packets a tarball try, if only they are
independent enough and if I trust the stability of the software,
like e. g. postfix.

In most other cases, I try to get things from sqeeze-backports or
from the main and contrib repositories, to stay on the save and stable
(and convenient) side of system administration.

Still, I'm a newbie, but I read and learn fast.
And I hope, I can give something back to the list soon.

(my next question on this mailing list will be for logging) :-)


More information about the Firewall mailing list