Phil Knirsch (pknirsch(a)redhat.com) said:
Basically it's a statefull firewall daemon now that allows us to
support
and implement a lot of those features which have been so critically
missing in our old way of doing firewalls (aka static crap) and
basically impossible to do there. One example is libvirt and how it has
to change firewall rules dynamically depending on whether a guest is
started or shut down, and those rules should survive a restart of the
firewall (which currently they don't and can't). Roughly speaking it's a
bit similar with the switch from our static initscripts for network
configuration to NetworkManager and how it deals with network interfaces
nowadays.
Sounds good....
One thing is e.g notifications to users when some service/app
requests
to open a port. First version won't have network zones yet, but he and
Dan Williams are working on that for the next generation which will then
basically allow it to let the user decide once for each
interface/connection what should happen with it and never be bothered
with it afterwards.
... but this seems absolutely wrong. The last thing we want is to be
pestering the user with information they may not understand, and are not
fully capable of acting on. Take the constant complaints about
SETroubleshoot, or the constant mocking of Windows Vista's security popups,
for example.
Bill