On Mon, 2008-08-18 at 13:06 -0700, Tony Nguyen wrote: > Hi Darren and all, > > As part of the Visual Panels project, > > http://opensolaris.org/os/project/vpanels > > we're proposing a generic firewall framework for Solaris. The framework > utilizes IPfilter to provide a simple mechanism to configure a firewall > on Solaris systems.
I'm sorry, I just don't get it. The mechanisms you're setting up seem incompatible with delegated service administration. the purpose of a firewall is to establish policies to limit what traffic is allowed through a particular network chokepoint. composing your policy out of bits and pieces contributed by different services which may be administered by different administrators (remember, different smf services may be administered by different users) without a clear and coherant overall policy author strikes me as a disaster waiting to happen unless the global administrator can constrain what rules a service administrator can supply. The use cases don't seem all that realistic -- Example 2 makes no sense -- why create a special rule to block port 22 when you're going to block everything anyway? Example 5 talks about blocking a specific known malicious ip address. That doesn't match the real world threat environment where attackers have effectively unlimited numbers of origin ip addresses to attack from; if you block one of them they'll hop to another.
