Firewall

Jesse Keating jkeating at redhat.com
Mon Dec 6 19:29:07 UTC 2010 

On 12/06/2010 11:27 AM, Phil Knirsch wrote:
> On 12/06/2010 08:15 PM, Jesse Keating wrote:
>> On 12/06/2010 11:05 AM, Daniel P. Berrange wrote:
>>> The other benefit would be if the user only intended the
>>> service to be accessible to localhost, or a UNIX domain
>>> socket but for some reason screwed up their service's
>>> config&  opened it to the world.
>>>
>>
>> I could buy this if we actually alerted users to this, when in fact we
>> /disable/ logging in the default firewall set, so your packets just
>> magically disappear  leaving the user scratching their head as to why
>> the hell things aren't working.
>>
> 
> Thomas Woerner (iptables maintainer) is currently working on a prototype 
> for basically the next generation of firewalling. He'll put up the code 
> later this week with docu and all that shizzle as he just finished the 
> first prototype of it a week ago. It's by far not complete yet, but 
> it'll show enough of what you can do with it with some nice features and 
> useful stuff.
> 
> Basically it's a statefull firewall daemon now that allows us to support 
> and implement a lot of those features which have been so critically 
> missing in our old way of doing firewalls (aka static crap) and 
> basically impossible to do there. One example is libvirt and how it has 
> to change firewall rules dynamically depending on whether a guest is 
> started or shut down, and those rules should survive a restart of the 
> firewall (which currently they don't and can't). Roughly speaking it's a 
> bit similar with the switch from our static initscripts for network 
> configuration to NetworkManager and how it deals with network interfaces 
> nowadays.
> 
> A bit more initial info can already be found here:
> 
>   https://fedoraproject.org/wiki/SystemConfig/firewall
> 
> but he'll send out a much more detailed description of what the new 
> firewalld will be able to do and what problems we can solve with it.
> 
> One thing is e.g notifications to users when some service/app requests 
> to open a port. First version won't have network zones yet, but he and 
> Dan Williams are working on that for the next generation which will then 
> basically allow it to let the user decide once for each 
> interface/connection what should happen with it and never be bothered 
> with it afterwards.
> 
> Thanks & regards, Phil
> 

Sounds interesting, thanks Phil!

-- 
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating

More information about the devel mailing list