Firewall

[Dennis Jacobfeuerborn]

On 12/06/2010 08:53 PM, Bill Nottingham wrote:
> Phil Knirsch (pknirsch at redhat.com) said:
>> Basically it's a statefull firewall daemon now that allows us to support
>> and implement a lot of those features which have been so critically
>> missing in our old way of doing firewalls (aka static crap) and
>> basically impossible to do there. One example is libvirt and how it has
>> to change firewall rules dynamically depending on whether a guest is
>> started or shut down, and those rules should survive a restart of the
>> firewall (which currently they don't and can't). Roughly speaking it's a
>> bit similar with the switch from our static initscripts for network
>> configuration to NetworkManager and how it deals with network interfaces
>> nowadays.
>
> Sounds good....
>
>> One thing is e.g notifications to users when some service/app requests
>> to open a port. First version won't have network zones yet, but he and
>> Dan Williams are working on that for the next generation which will then
>> basically allow it to let the user decide once for each
>> interface/connection what should happen with it and never be bothered
>> with it afterwards.
>
> ... but this seems absolutely wrong. The last thing we want is to be
> pestering the user with information they may not understand, and are not
> fully capable of acting on. Take the constant complaints about
> SETroubleshoot, or the constant mocking of Windows Vista's security popups,
> for example.

I agree that this is a problem but it would be nice if firewalld could 
still keep track of this information and make it available on demand 
(basically a log). Maybe the notification could be based on that and only 
pop up if configured to do so by the users who care.

Regards,
   Dennis