-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/24/2013 02:11 PM, Kurt Seifried wrote: > Some random thoughts: > > 1) it would be nice to have capabilities like "do you want to let program X > talk to the internet/receive connections" for client software with a GUI > notification (like basically all the windows client/Mac OS X client > firewall stuff). I would say this is probably the biggest capability needed > for normal end users. > > 2) Tying firewall into networking detection, e.g. windows "is this your > home/business/public network" and then remembering it (I assume IP/Mac > address of default gateway would be a reasonably good way to identify > networks). > > 3) Make it easy to modify policy, e.g. in section 1) if you choose to > block/deny something and realize that was the wrong decision how do you go > in an modify it? In Windows this is a PITA for normal users. > > Overall I'm not really sure firewalld solves much, anyone running a server > will probably be able to tweak iptables to allow incoming services they > want. So do we aim it at the end user/workstation style usage primarily > (especially ones that move around networks)? > > -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/security > Well I would like to add SELinux support to it to control which processes are allowed to manage which ports. But I want to wait until their is a C Version. This would control that NetworkManager can modify zones, while cups can modify the cups port rules. And other services are not allowed to modify any rules. I am a little worried about auditing/journaling which process modified the iptables rules. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJEIA8ACgkQrlYvE4MpobO3DQCfbBdUjPpMDCXOEiTk11NVKq7S XmYAoIAFYAe/B1YyHTpIoqKBiuE3fXTm =kQd4 -----END PGP SIGNATURE----- -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
