Bill Sommerfeld wrote: > On Mon, 2008-08-18 at 13:06 -0700, Tony Nguyen wrote: >> Hi Darren and all, >> >> As part of the Visual Panels project, >> >> http://opensolaris.org/os/project/vpanels >> >> we're proposing a generic firewall framework for Solaris. The framework >> utilizes IPfilter to provide a simple mechanism to configure a firewall >> on Solaris systems. > > I'm sorry, I just don't get it. The mechanisms you're setting up seem > incompatible with delegated service administration. > > the purpose of a firewall is to establish policies to limit what traffic > is allowed through a particular network chokepoint. > > composing your policy out of bits and pieces contributed by different > services which may be administered by different administrators > (remember, different smf services may be administered by different > users) without a clear and coherant overall policy author strikes me as > a disaster waiting to happen unless the global administrator can > constrain what rules a service administrator can supply.
Delegated administration is defined at the property-group level, not the service level. Not only *can* you delegate the ability to administer a service without delegating the ability to change its firewall configuration, you would actually have to go out of your way to also delegate access to the firewall configuration. Dave