Fedora 7
Chris Lumens
clumens at redhat.com
Fri Jan 5 17:29:06 UTC 2007
> #2 - Improving the system-config-securitylevel. This I need to split in
> two:
I maintain s-c-securitylevel, so I'll address this.
> #2.1 - The current way of setting up firewall rules is excessively
> simple, and makes it very difficult to have simple things like internet
> connection sharing for a home network. It would be very cool to have the
> ability to configure a simple 1:N NAT and some port redirection.
These sorts of features would be handy, I agree. If they can be simple
one checkbox sorts of things, that's even better. Getting into the port
redirection stuff takes s-c-securitylevel down a path I don't think we
want to go, though. It's my understanding that it's never been
developed as the be-all firewall configuration tool that does everything
you'd want to do. I certainly have not maintained it as such.
A checkbox for enabling NAT would be decent, but I don't know how much
farther beyond that I want to go.
> #2.2 - The local firewall has no logging feature. It's quite difficult
> for a user/home admin to know why something is not working if you don't
> have any kind of logs about what is being dropped because of the
> firewall blocking. Probably having logging enabled by default could be
> just overkill (most end-users won't care about it), but having a way to
> enable/configure logging would help those people a lot.
I have an open bug about this (151647 - it's fairly old at this point)
but have never gotten around to working on it since I didn't see it as a
huge feature. Of course, I can go in and add it if there's that much
demand. I can see it being useful for debugging firewalls.
The trick with both of these features is to add them without making the
UI a nightmare to use and maintain. Maybe I should spend a while
thinking about how to do it.
Two things I want to do in s-c-securitylevel (and if I ever get done
reworking pykickstart, I'll get these in for 7) are:
(1) Rewrite lokkit in Python. I can hack C but I'm slower at it and I
don't see it as particularly well suited to this sort of program,
especially with the goofy newt stuff.
(2) Make s-c-securitylevel not destroy any customizations you make by
hand. I think this is the biggest problem affecting the program right
now and if I can come up with a good way to deal with it, I'll put the
fix in right away. There's an open bug for this - 138143.
- Chris
More information about the fedora-devel-list
mailing list