Firewall
Phil Knirsch
pknirsch at redhat.com
Mon Dec 6 19:43:35 UTC 2010
On 12/06/2010 08:40 PM, Richard W.M. Jones wrote:
> On Mon, Dec 06, 2010 at 11:15:37AM -0800, Jesse Keating wrote:
>> On 12/06/2010 11:05 AM, Daniel P. Berrange wrote:
>>> The other benefit would be if the user only intended the
>>> service to be accessible to localhost, or a UNIX domain
>>> socket but for some reason screwed up their service's
>>> config& opened it to the world.
>>>
>>
>> I could buy this if we actually alerted users to this, when in fact we
>> /disable/ logging in the default firewall set, so your packets just
>> magically disappear leaving the user scratching their head as to why
>> the hell things aren't working.
>
> Yes, enabling logging of packets really helps to track down
> firewall misconfiguration.
>
> What we really lack is good visibility for n00bs. Sure you can do
> 'netstat -anp' to show open ports and (if you're more of an expert
> than me) look at iptables to see what's wrong, but having nice GUI
> tools to display this information would be better.
>
> (No, I'm not volunteering to write them ...)
>
> Rich.
>
Thats actually a really nice idea we could tackle with the firewall
stuff Thomas is working on in the future.
added_to_feature_list++ :)
Thanks & regards, Phil
--
Philipp Knirsch | Tel.: +49-711-96437-470
Supervisor Core Services | Fax.: +49-711-96437-111
Red Hat GmbH | Email: Phil Knirsch <pknirsch at redhat.com>
Hauptstaetterstr. 58 | Web: http://www.redhat.com/
D-70178 Stuttgart, Germany
Motd: You're only jealous cos the little penguins are talking to me.
More information about the devel
mailing list