On 12/06/2010 08:40 PM, Richard W.M. Jones wrote:
On Mon, Dec 06, 2010 at 11:15:37AM -0800, Jesse Keating wrote:
> On 12/06/2010 11:05 AM, Daniel P. Berrange wrote:
>> The other benefit would be if the user only intended the
>> service to be accessible to localhost, or a UNIX domain
>> socket but for some reason screwed up their service's
>> config& opened it to the world.
>>
>
> I could buy this if we actually alerted users to this, when in fact we
> /disable/ logging in the default firewall set, so your packets just
> magically disappear leaving the user scratching their head as to why
> the hell things aren't working.
Yes, enabling logging of packets really helps to track down
firewall misconfiguration.
What we really lack is good visibility for n00bs. Sure you can do
'netstat -anp' to show open ports and (if you're more of an expert
than me) look at iptables to see what's wrong, but having nice GUI
tools to display this information would be better.
(No, I'm not volunteering to write them ...)
Rich.
Thats actually a really nice idea we could tackle with the firewall
stuff Thomas is working on in the future.
added_to_feature_list++ :)
Thanks & regards, Phil
--
Philipp Knirsch | Tel.: +49-711-96437-470
Supervisor Core Services | Fax.: +49-711-96437-111
Red Hat GmbH | Email: Phil Knirsch <pknirsch(a)redhat.com>
Hauptstaetterstr. 58 | Web:
http://www.redhat.com/
D-70178 Stuttgart, Germany
Motd: You're only jealous cos the little penguins are talking to me.