On 08/27/08 14:10, Bill Sommerfeld wrote:
On Mon, 2008-08-18 at 13:06 -0700, Tony Nguyen wrote:
Hi Darren and all,
As part of the Visual Panels project,
http://opensolaris.org/os/project/vpanels
we're proposing a generic firewall framework for Solaris. The framework
utilizes IPfilter to provide a simple mechanism to configure a firewall
on Solaris systems.
I'm sorry, I just don't get it. The mechanisms you're setting up seem
incompatible with delegated service administration.
the purpose of a firewall is to establish policies to limit what traffic
is allowed through a particular network chokepoint.
composing your policy out of bits and pieces contributed by different
services which may be administered by different administrators
(remember, different smf services may be administered by different
users) without a clear and coherant overall policy author strikes me as
a disaster waiting to happen unless the global administrator can
constrain what rules a service administrator can supply.
Bill, my thoughts on this are that this project is primarily aimed
at delivering access control for running network services, rather
than being a network firewall per se - if you like, this project is
more concerned with being a host based firewall and not a
network chokepoint.
But that said, the greater question you've asked is a good one:
is it an acceptable policy to allow service administrators, rather
than a host administrator to control network access to a service?
In the absence of a specific policy for the host, I'd argue yes,
that's an acceptable model to use.
I suppose the question you're asking is what if the systems policy
is to allow delegation of the control of the services but not control
over network access to the services? Is that just a simple matter
of more ownership/access rights on the various SMF properties?
But if there is an overall policy that should be applied instead,
like you are suggesting, then my take on this is that it falls outside
of what this project is delivering.
Thoughts?
Darren
_______________________________________________
networking-discuss mailing list
[email protected]
