[Cerowrt-devel] vpn fw question

Eric S. Johansson esj at eggo.org
Fri Oct 3 01:38:28 EDT 2014 

On 10/3/2014 12:32 AM, Dave Taht wrote:

> Oh no. A lot of the complexity in cerowrt is just there to make sure
> that complex
> setups can work. I care a lot about exposing appropriate functionality, routing
> in an IoT world, as one example, not one whit about the gui stuff.

I agree that complexity should be exposed to some level but it shouldn't 
be your first option. I have this overly told tale about my sender pays 
anti-spam system call two Penny blue. It worked well and where showed it 
off at the MIT antispam conference, there were a significant number of 
folks that want to steal my user interface they liked it so much. It 
changed the whole paradigm of antispam interfaces. The entire focus was 
on getting the job done without making's fighting spam your life. I want 
to carry the philosophy through for firewalls.  I'm almost willing to 
bet you were really expensive lunch that I can give you the same control 
you want in a much more understandable package. :-)

The reality today is most IT folks don't have time to be security 
experts. Like in what I'm trying to do with VPNs, my intent is to bridge 
networks between multiple offices. Did this with IP cop and each node  
took approximately 45 minutes to get running with IP sec. The secret is 
following the intent of what the person wants to do so they get the job 
done get on with their life.

For example, I would love to build an interface that based on a 
graphical representation of the network. By drawing lines you show 
logical connectivity between two nodes. Tapping on each end of the line 
brings up the dialogue to show the characteristics of that link such as 
a pinhole for the service. There's other ways of presenting more 
detailed information that one can use to quickly make the right change.



>
> The luci part of openwrt is sorely in need of more bodies.
Yeah that's the challenge for me. I've got a broken body. My hands don't 
work so good and I use speech recognition which means any time I do a 
lot of work in some area, I build a speech user interface to do what's 
necessary to save my hands. If you think regular GUIs are hard, try 
writing a speech user interface. Too many people think in terms of how 
to do it rather than what you want to do.
>
> There is an attempt to rewrite the gui in more javascript in luci2.
In many ways that's a wise choice as long as you don't use JavaScript ;-)
>
> the openwireless.org folk are doing their own gui for cero, and realizing that
> the 80/20 rule applies, but it's a different 20 for every user. See their
> mailing list and codebase for details.
That's a good point and that's why you always want to have a backup 
interface that exposes everything. But that's also why I'm a good user 
interface designer. If I listened to enough use cases, I can come up 
with a more general interface you might think possible at first glance. 
I also am a bit of a cynic which manifests as "the only truly intuitive 
user interface is the mammalian nipple and as any nursing mom will tell 
you, even that isn't intuitive enough for a significant number of users"
>
> Every manufacturer dumbs down the gui so much these days that it's
> impossible to turn nat off on current netgear, dd-link, and apple products.

Yeah that's  part of the  problem. People think reducing functionality 
is a  simpler  interface. It's just a different kind of complexity. that 
is a rant I will save some bar evening over root beer.
>
> I, personally, happen to really like naming interfaces after their function
> given the expressiveness of the pattern matching syntax, but it is
> an idea few have adopted....

I'm with you. So why not do it? Convention is only useful if it serves a 
purpose. At the same time, with the relationship structure between all 
the different elements because there may be other simplifications that 
can come out of a different kind of complexity. For example, in UCI you 
have the IP address and network information scattered through multiple 
files and any time the solution to a problem with changing networks is 
sed, you have the wrong solution. I'm hoping to extend UCI to work with 
named constants instead of literals for arguments. A little bit more 
complexity in the right place, simplifies configuration files and 
configurability.

This change also makes it possible to start calculating the relationship 
between the different subnets so that if you need to make the network 
subnet bigger, you change subnet mask and everything else falls out 
automatically.  I'm big on making things self adjusting like that 
because it makes my hands not hurt. If I need a more professional 
explanation I say it's a form of universal design to accommodate all 
abilities. :-)

Anyway, I need to get to bed so I can get some good work in tomorrow. 
Joys of being a self-employed crip.

--- eric

More information about the Cerowrt-devel mailing list