Services automaticly change firewall rules to open access to themselfs.

[Richi Plana]

On Wed, 2007-09-05 at 11:30 +0200, Nicolas Mailhot wrote:
> In an handwaved perfect word, service-firewall-rules would display a
> graph of the current firewall network ruleset (showing the packet flow
> through blocks of rules), and services would just dump new blocks in
> this graph that'd be grayed out till activated by the admin.
> 
> This is something like a SoC project though.

What's Fedora's stance on firewall / iptables management, anyway.
Specifically with regards to other "iptables applications"? So far, the
only way I see that external apps can co-exist with s-c-s is by using
the "Custom Rules File" which simply appends rules to the end of the
rules generated by s-c-s.

I have two applications right now (one to limit DROP successive ssh
accesses and another to DROP access from spam sources configured
dynamically) and the use of the Custom Rules File is insufficient for
the way it works (some rules need to be inserted at an arbitrary
position relative to the rules generated by s-c-s and a regeneration of
the integrated /etc/sysconfig/iptables file is needed whenever dynamic
changes are made).

How does Fedora intend to handle firewall management requests from
external apps? Will it export some kind of IPC API? Or is Custom Rules
File finally it?
--

Richi Plana