Firewalld is just not workable enough for me. For instance I need to have quirky netfilter rules to make my squid proxy setup to work properly. There is no easy way to do this with firewalld. Also I set up an iptables queue so that netfilter supports suricata ips mode. This also, no easy way... Netfilter is just so diverse and firewalld seems to strip a lot of that diversity away. What about the idea that people who want to write their own iptables custom scripts that can be, after wiriting the script and implementening it, a smart way for the script to be imported...the whole script, into firewalld. Last I tried, my nat rules weren't compatible with firewalld. Like maybe a simpe iptables-save then a firewalld-save or the like. Then maybe ask if to import it into firewalld's 'home', 'work', 'public', etc. Lance Kurt Seifried <kseifried@xxxxxxxxxx> wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Some random thoughts: > >1) it would be nice to have capabilities like "do you want to let >program X talk to the internet/receive connections" for client >software with a GUI notification (like basically all the windows >client/Mac OS X client firewall stuff). I would say this is probably >the biggest capability needed for normal end users. > >2) Tying firewall into networking detection, e.g. windows "is this >your home/business/public network" and then remembering it (I assume >IP/Mac address of default gateway would be a reasonably good way to >identify networks). > >3) Make it easy to modify policy, e.g. in section 1) if you choose to >block/deny something and realize that was the wrong decision how do >you go in an modify it? In Windows this is a PITA for normal users. > >Overall I'm not really sure firewalld solves much, anyone running a >server will probably be able to tweak iptables to allow incoming >services they want. So do we aim it at the end user/workstation style >usage primarily (especially ones that move around networks)? > >- -- >Kurt Seifried Red Hat Security Response Team (SRT) >PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.14 (GNU/Linux) > >iQIcBAEBAgAGBQJSQdXYAAoJEBYNRVNeJnmTC6wQAIW3HNlAqfSkMSZqbFG6kbj/ >GOlnzjJOrUzt/LWwOGPCTmg/GgSOHrT4t1gT1577sL2LM5wPGCF/oll84RehiZd8 >PXNiyq3QnsOJFLjmEbm1YfGpDGae5+uR4IR3Bm1MVHBjvquhlqaje0b1yI2gs8Do >LY9sXeGmYh+YjKIUDJrOCCS/I/xE8Zl4D+aU/s1BumV9LxwsOURTzXv5x32C8zwS >5MH5rvX9LO5vJn0VMByRsoXrCSybyLnRmsDvAH9yYx+WjforKsU4wq2QVLYDtjU/ >0TO/n7qP1WO7doixYLymxwm+Fnk8J7HGa2t/2of2ZvX2AB3eRLmzj+tKzKohZR4H >jxCLImHLx/puPr6VA/4ENSrHltCCbTSDvlZGxTHAeHwszmQzYMXZ8Qv/leRf4ThO >E3wvuoIpgUWSEbE8RjVmXjX/Cd1GYz6ns35ydy2kZgHr4AfQifF+hdWHPP63/hrJ >C21iZylvIMJKF2cWOXwR4X+Zr9tDthf+UDeEE3J/uQAfj3LDvjdHXqd0xcgOSrae >nP0hPHj0apZrzY0zJfcn3JNipRDDl3qNgs8Q8tFAut5WvubCdLlVFXvLWMs6mOA2 >6TmN4ZzEh0zfeGLq+LZ1kAY0ZsIds9ziyKsxAPGlTQz3Ax9rjb40BOwClHc4wbOF >6DzOg7WN87fRSO/wCTy3 >=dDnL >-----END PGP SIGNATURE----- >-- >security mailing list >security@xxxxxxxxxxxxxxxxxxxxxxx >https://admin.fedoraproject.org/mailman/listinfo/security -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
