On 12/06/2010 08:53 PM, Bill Nottingham wrote: > Phil Knirsch (pknirsch@xxxxxxxxxx) said: >> Basically it's a statefull firewall daemon now that allows us to support >> and implement a lot of those features which have been so critically >> missing in our old way of doing firewalls (aka static crap) and >> basically impossible to do there. One example is libvirt and how it has >> to change firewall rules dynamically depending on whether a guest is >> started or shut down, and those rules should survive a restart of the >> firewall (which currently they don't and can't). Roughly speaking it's a >> bit similar with the switch from our static initscripts for network >> configuration to NetworkManager and how it deals with network interfaces >> nowadays. > > Sounds good.... > >> One thing is e.g notifications to users when some service/app requests >> to open a port. First version won't have network zones yet, but he and >> Dan Williams are working on that for the next generation which will then >> basically allow it to let the user decide once for each >> interface/connection what should happen with it and never be bothered >> with it afterwards. > > ... but this seems absolutely wrong. The last thing we want is to be > pestering the user with information they may not understand, and are not > fully capable of acting on. Take the constant complaints about > SETroubleshoot, or the constant mocking of Windows Vista's security popups, > for example. > > Bill Ah, don't worry, this is just an example what you could do with it. What and how we use it later on, especially in a GUI environment is a matter of obviously sane defaults. It's just right now one of the easiest examples to demonstrate the event based system the firewalld is using where you can basically hook into dbus and listen for firewall changes. It's all about providing the necessary framework at this point to later on sanely be able to do what we need to do in all kinds of environments with firewalls. And specifically for the Desktop case you, me and the desktop team very opposed to those kinds of popups with cryptic firewall info or questions (and rightly so as it unnecessarily confuses the average user and doesn't offer and value == bad user experience). So that's definitely something that will be disabled by default and is only in there now for demonstration purposes. Thanks & regards, Phil -- Philipp Knirsch | Tel.: +49-711-96437-470 Supervisor Core Services | Fax.: +49-711-96437-111 Red Hat GmbH | Email: Phil Knirsch <pknirsch@xxxxxxxxxx> Hauptstaetterstr. 58 | Web: http://www.redhat.com/ D-70178 Stuttgart, Germany Motd: You're only jealous cos the little penguins are talking to me. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel