Firewall

Phil Knirsch pknirsch at redhat.com
Mon Dec 6 20:01:58 UTC 2010 

On 12/06/2010 08:53 PM, Bill Nottingham wrote:
> Phil Knirsch (pknirsch at redhat.com) said:
>> Basically it's a statefull firewall daemon now that allows us to support
>> and implement a lot of those features which have been so critically
>> missing in our old way of doing firewalls (aka static crap) and
>> basically impossible to do there. One example is libvirt and how it has
>> to change firewall rules dynamically depending on whether a guest is
>> started or shut down, and those rules should survive a restart of the
>> firewall (which currently they don't and can't). Roughly speaking it's a
>> bit similar with the switch from our static initscripts for network
>> configuration to NetworkManager and how it deals with network interfaces
>> nowadays.
>
> Sounds good....
>
>> One thing is e.g notifications to users when some service/app requests
>> to open a port. First version won't have network zones yet, but he and
>> Dan Williams are working on that for the next generation which will then
>> basically allow it to let the user decide once for each
>> interface/connection what should happen with it and never be bothered
>> with it afterwards.
>
> ... but this seems absolutely wrong. The last thing we want is to be
> pestering the user with information they may not understand, and are not
> fully capable of acting on. Take the constant complaints about
> SETroubleshoot, or the constant mocking of Windows Vista's security popups,
> for example.
>
> Bill

Ah, don't worry, this is just an example what you could do with it. What 
and how we use it later on, especially in a GUI environment is a matter 
of obviously sane defaults. It's just right now one of the easiest 
examples to demonstrate the event based system the firewalld is using 
where you can basically hook into dbus and listen for firewall changes.

It's all about providing the necessary framework at this point to later 
on sanely be able to do what we need to do in all kinds of environments 
with firewalls.

And specifically for the Desktop case you, me and the desktop team very 
opposed to those kinds of popups with cryptic firewall info or questions 
(and rightly so as it unnecessarily confuses the average user and 
doesn't offer and value == bad user experience). So that's definitely 
something that will be disabled by default and is only in there now for 
demonstration purposes.

Thanks & regards, Phil

-- 
Philipp Knirsch              | Tel.:  +49-711-96437-470
Supervisor Core Services     | Fax.:  +49-711-96437-111
Red Hat GmbH                 | Email: Phil Knirsch <pknirsch at redhat.com>
Hauptstaetterstr. 58         | Web:   http://www.redhat.com/
D-70178 Stuttgart, Germany
Motd:  You're only jealous cos the little penguins are talking to me.

More information about the devel mailing list