On 12/06/2010 08:43 PM, Phil Knirsch wrote: > On 12/06/2010 08:40 PM, Richard W.M. Jones wrote: >> On Mon, Dec 06, 2010 at 11:15:37AM -0800, Jesse Keating wrote: >>> On 12/06/2010 11:05 AM, Daniel P. Berrange wrote: >>>> The other benefit would be if the user only intended the >>>> service to be accessible to localhost, or a UNIX domain >>>> socket but for some reason screwed up their service's >>>> config& opened it to the world. >>>> >>> >>> I could buy this if we actually alerted users to this, when in fact we >>> /disable/ logging in the default firewall set, so your packets just >>> magically disappear leaving the user scratching their head as to why >>> the hell things aren't working. >> >> Yes, enabling logging of packets really helps to track down >> firewall misconfiguration. >> >> What we really lack is good visibility for n00bs. Sure you can do >> 'netstat -anp' to show open ports and (if you're more of an expert >> than me) look at iptables to see what's wrong, but having nice GUI >> tools to display this information would be better. >> >> (No, I'm not volunteering to write them ...) >> >> Rich. >> > > Thats actually a really nice idea we could tackle with the firewall > stuff Thomas is working on in the future. > > added_to_feature_list++ :) Add accounting too. Assuming that the Zones are implemented as chains it would be nice to be able to review how much traffic a Zone and/or the services are seeing. Regards, Dennis -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
