On 12/06/2010 08:43 PM, Phil Knirsch wrote:
On 12/06/2010 08:40 PM, Richard W.M. Jones wrote:
> On Mon, Dec 06, 2010 at 11:15:37AM -0800, Jesse Keating wrote:
>> On 12/06/2010 11:05 AM, Daniel P. Berrange wrote:
>>> The other benefit would be if the user only intended the
>>> service to be accessible to localhost, or a UNIX domain
>>> socket but for some reason screwed up their service's
>>> config& opened it to the world.
>>>
>>
>> I could buy this if we actually alerted users to this, when in fact we
>> /disable/ logging in the default firewall set, so your packets just
>> magically disappear leaving the user scratching their head as to why
>> the hell things aren't working.
>
> Yes, enabling logging of packets really helps to track down
> firewall misconfiguration.
>
> What we really lack is good visibility for n00bs. Sure you can do
> 'netstat -anp' to show open ports and (if you're more of an expert
> than me) look at iptables to see what's wrong, but having nice GUI
> tools to display this information would be better.
>
> (No, I'm not volunteering to write them ...)
>
> Rich.
>
Thats actually a really nice idea we could tackle with the firewall
stuff Thomas is working on in the future.
added_to_feature_list++ :)
Add accounting too. Assuming that the Zones are implemented as chains it
would be nice to be able to review how much traffic a Zone and/or the
services are seeing.
Regards,
Dennis