Fedora 7

Chris Lumens clumens at redhat.com
Fri Jan 5 17:29:06 UTC 2007 

> #2 - Improving the system-config-securitylevel. This I need to split in
> two:

I maintain s-c-securitylevel, so I'll address this.

> #2.1 - The current way of setting up firewall rules is excessively
> simple, and makes it very difficult to have simple things like internet
> connection sharing for a home network. It would be very cool to have the
> ability to configure a simple 1:N NAT and some port redirection.

These sorts of features would be handy, I agree.  If they can be simple
one checkbox sorts of things, that's even better.  Getting into the port
redirection stuff takes s-c-securitylevel down a path I don't think we
want to go, though.  It's my understanding that it's never been
developed as the be-all firewall configuration tool that does everything
you'd want to do.  I certainly have not maintained it as such.

A checkbox for enabling NAT would be decent, but I don't know how much
farther beyond that I want to go.

> #2.2 - The local firewall has no logging feature. It's quite difficult
> for a user/home admin to know why something is not working if you don't
> have any kind of logs about what is being dropped because of the
> firewall blocking. Probably having logging enabled by default could be
> just overkill (most end-users won't care about it), but having a way to
> enable/configure logging would help those people a lot.

I have an open bug about this (151647 - it's fairly old at this point)
but have never gotten around to working on it since I didn't see it as a
huge feature.  Of course, I can go in and add it if there's that much
demand.  I can see it being useful for debugging firewalls.

The trick with both of these features is to add them without making the
UI a nightmare to use and maintain.  Maybe I should spend a while
thinking about how to do it.

Two things I want to do in s-c-securitylevel (and if I ever get done
reworking pykickstart, I'll get these in for 7) are:

(1) Rewrite lokkit in Python.  I can hack C but I'm slower at it and I
don't see it as particularly well suited to this sort of program,
especially with the goofy newt stuff.

(2) Make s-c-securitylevel not destroy any customizations you make by
hand.  I think this is the biggest problem affecting the program right
now and if I can come up with a good way to deal with it, I'll put the
fix in right away.  There's an open bug for this - 138143.

- Chris

More information about the fedora-devel-list mailing list