On Mon, Jun 15, 2009 at 4:52 AM, Thomas Woerner<twoerner@xxxxxxxxxx> wrote: > The major problem with a /etc/iptables.d direcory with files provided by > packages are that you can not say in the end what your firewall will look > like: Is the firewall is open for a specific service/host/network or not. > The files are text blobs and therefore there is no way to say what they will > do. > If you have packages dropping in some firewall rules into the firewall > without the ability for activation/deactivation and also sorting of the > rules, then you could get into unexpected behaviour and also big security > risks. Well, ideally, system-config-firewall should support iptables rules (in text blobs) AS IS, rather than having its own set of custom rules that are completely obviously to the standard method for specifying them. And then, it should be able to display the state of the firewall in its entirety, not just its own custom rules. If it's going to be an abstraction around iptables, it should be a good one, and actually...you know, abstract iptables. Not just add another non-exclusive conflicting interface for specifying rules on top. Or, pull a fontconfig, and obsolete the iptables text files, requiring everyone to go through an official API (firewallconfig) or somesuch to specify behaviors. Then packages could use this system, rather than dropping in random text files, and these settings could then be centralized and monitored by a tool like system-config-firewall. Just thoughts. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
