Firewall

[Bill Nottingham]

Phil Knirsch (pknirsch at redhat.com) said: 
> Basically it's a statefull firewall daemon now that allows us to support 
> and implement a lot of those features which have been so critically 
> missing in our old way of doing firewalls (aka static crap) and 
> basically impossible to do there. One example is libvirt and how it has 
> to change firewall rules dynamically depending on whether a guest is 
> started or shut down, and those rules should survive a restart of the 
> firewall (which currently they don't and can't). Roughly speaking it's a 
> bit similar with the switch from our static initscripts for network 
> configuration to NetworkManager and how it deals with network interfaces 
> nowadays.

Sounds good....

> One thing is e.g notifications to users when some service/app requests 
> to open a port. First version won't have network zones yet, but he and 
> Dan Williams are working on that for the next generation which will then 
> basically allow it to let the user decide once for each 
> interface/connection what should happen with it and never be bothered 
> with it afterwards.

... but this seems absolutely wrong. The last thing we want is to be
pestering the user with information they may not understand, and are not
fully capable of acting on. Take the constant complaints about
SETroubleshoot, or the constant mocking of Windows Vista's security popups,
for example.

Bill