F19 Firewall

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/24/2013 02:11 PM, Kurt Seifried wrote:
> Some random thoughts:
> 
> 1) it would be nice to have capabilities like "do you want to let program X
> talk to the internet/receive connections" for client software with a GUI
> notification (like basically all the windows client/Mac OS X client
> firewall stuff). I would say this is probably the biggest capability needed
> for normal end users.
> 
> 2) Tying firewall into networking detection, e.g. windows "is this your
> home/business/public network" and then remembering it (I assume IP/Mac
> address of default gateway would be a reasonably good way to identify
> networks).
> 
> 3) Make it easy to modify policy, e.g. in section 1) if you choose to 
> block/deny something and realize that was the wrong decision how do you go
> in an modify it? In Windows this is a PITA for normal users.
> 
> Overall I'm not really sure firewalld solves much, anyone running a server
> will probably be able to tweak iptables to allow incoming services they
> want. So do we aim it at the end user/workstation style usage primarily
> (especially ones that move around networks)?
> 
> -- security mailing list security at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/security
> 

Well I would like to add SELinux support to it to control which processes are
allowed to manage which ports.  But I want to wait until their is a C Version.

This would control that NetworkManager can modify zones, while cups can modify
the cups port rules.  And other services are not allowed to modify any rules.
I am a little worried about auditing/journaling which process modified the
iptables rules.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJEIA8ACgkQrlYvE4MpobO3DQCfbBdUjPpMDCXOEiTk11NVKq7S
XmYAoIAFYAe/B1YyHTpIoqKBiuE3fXTm
=kQd4
-----END PGP SIGNATURE-----