On 9/4/07, Ian Burrell <ianburrell@xxxxxxxxx> wrote: > On 9/1/07, Bruno Wolff III <bruno@xxxxxxxx> wrote: > > On Sat, Sep 01, 2007 at 14:07:17 +0200, > > Benny Amorsen <benny+usenet@xxxxxxxxxx> wrote: > > > > > > Administrators sometimes want to limit which traffic can reach > > > applications, and perhaps limit the risk when accidentally starting > > > applications. Automating firewall setup makes that useless. > > > > That is probably the main reason. And having apps undo restrictions seems > > like a really really bad idea. > > > > Plus I have no confidence that apps can properly rewrite iptables rules > > correctly. iptables setups can have complications which will make it > > hard to change them. I have used subroutines for checking reserved ip > > ranges and have had services configured to only be available to local > > ip addresses or specific interfaces. > > > > I think the idea of having some way to help people who want a service > > available to the internet at large or some local ip addresses is a good > > idea, but it needs to be an add on step that can be skipped, not some > > invisible change behind the scenes. > > > > I wonder if the solution is to display the linkage between services > and firewall rules in the configuration tools. People would make the > changes in the tools but they would know what is needed. For > system-config-securitylevel, one possibility is to highlight the > services that are enabled but haven't been opened. > > Another help would have system-config-services print out a warning if > the user enables a service but the firewall rule is not opened. > system-config-services could probably show a dialog box that opens the > firewall rule. This would probably only work if > system-config-securitylevel is managing the firewall. Seems like a fair compromise. -- Fedora 7 : sipping some of that moonshine ( www.pembo13.com ) -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
