#2 - Improving the system-config-securitylevel. This I need to split
in
two:
I maintain s-c-securitylevel, so I'll address this.
#2.1 - The current way of setting up firewall rules is excessively
simple, and makes it very difficult to have simple things like internet
connection sharing for a home network. It would be very cool to have the
ability to configure a simple 1:N NAT and some port redirection.
These sorts of features would be handy, I agree. If they can be simple
one checkbox sorts of things, that's even better. Getting into the port
redirection stuff takes s-c-securitylevel down a path I don't think we
want to go, though. It's my understanding that it's never been
developed as the be-all firewall configuration tool that does everything
you'd want to do. I certainly have not maintained it as such.
A checkbox for enabling NAT would be decent, but I don't know how much
farther beyond that I want to go.
#2.2 - The local firewall has no logging feature. It's quite
difficult
for a user/home admin to know why something is not working if you don't
have any kind of logs about what is being dropped because of the
firewall blocking. Probably having logging enabled by default could be
just overkill (most end-users won't care about it), but having a way to
enable/configure logging would help those people a lot.
I have an open bug about this (151647 - it's fairly old at this point)
but have never gotten around to working on it since I didn't see it as a
huge feature. Of course, I can go in and add it if there's that much
demand. I can see it being useful for debugging firewalls.
The trick with both of these features is to add them without making the
UI a nightmare to use and maintain. Maybe I should spend a while
thinking about how to do it.
Two things I want to do in s-c-securitylevel (and if I ever get done
reworking pykickstart, I'll get these in for 7) are:
(1) Rewrite lokkit in Python. I can hack C but I'm slower at it and I
don't see it as particularly well suited to this sort of program,
especially with the goofy newt stuff.
(2) Make s-c-securitylevel not destroy any customizations you make by
hand. I think this is the biggest problem affecting the program right
now and if I can come up with a good way to deal with it, I'll put the
fix in right away. There's an open bug for this - 138143.
- Chris