F19 Firewall
Daniel J Walsh
dwalsh at redhat.com
Thu Sep 26 11:52:47 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/24/2013 02:11 PM, Kurt Seifried wrote:
> Some random thoughts:
>
> 1) it would be nice to have capabilities like "do you want to let program X
> talk to the internet/receive connections" for client software with a GUI
> notification (like basically all the windows client/Mac OS X client
> firewall stuff). I would say this is probably the biggest capability needed
> for normal end users.
>
> 2) Tying firewall into networking detection, e.g. windows "is this your
> home/business/public network" and then remembering it (I assume IP/Mac
> address of default gateway would be a reasonably good way to identify
> networks).
>
> 3) Make it easy to modify policy, e.g. in section 1) if you choose to
> block/deny something and realize that was the wrong decision how do you go
> in an modify it? In Windows this is a PITA for normal users.
>
> Overall I'm not really sure firewalld solves much, anyone running a server
> will probably be able to tweak iptables to allow incoming services they
> want. So do we aim it at the end user/workstation style usage primarily
> (especially ones that move around networks)?
>
> -- security mailing list security at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/security
>
Well I would like to add SELinux support to it to control which processes are
allowed to manage which ports. But I want to wait until their is a C Version.
This would control that NetworkManager can modify zones, while cups can modify
the cups port rules. And other services are not allowed to modify any rules.
I am a little worried about auditing/journaling which process modified the
iptables rules.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlJEIA8ACgkQrlYvE4MpobO3DQCfbBdUjPpMDCXOEiTk11NVKq7S
XmYAoIAFYAe/B1YyHTpIoqKBiuE3fXTm
=kQd4
-----END PGP SIGNATURE-----
More information about the security
mailing list