On 9/4/07, Ian Burrell ianburrell@gmail.com wrote:
On 9/1/07, Bruno Wolff III bruno@wolff.to wrote:
On Sat, Sep 01, 2007 at 14:07:17 +0200, Benny Amorsen benny+usenet@amorsen.dk wrote:
Administrators sometimes want to limit which traffic can reach applications, and perhaps limit the risk when accidentally starting applications. Automating firewall setup makes that useless.
That is probably the main reason. And having apps undo restrictions seems like a really really bad idea.
Plus I have no confidence that apps can properly rewrite iptables rules correctly. iptables setups can have complications which will make it hard to change them. I have used subroutines for checking reserved ip ranges and have had services configured to only be available to local ip addresses or specific interfaces.
I think the idea of having some way to help people who want a service available to the internet at large or some local ip addresses is a good idea, but it needs to be an add on step that can be skipped, not some invisible change behind the scenes.
I wonder if the solution is to display the linkage between services and firewall rules in the configuration tools. People would make the changes in the tools but they would know what is needed. For system-config-securitylevel, one possibility is to highlight the services that are enabled but haven't been opened.
Another help would have system-config-services print out a warning if the user enables a service but the firewall rule is not opened. system-config-services could probably show a dialog box that opens the firewall rule. This would probably only work if system-config-securitylevel is managing the firewall.
Seems like a fair compromise.