Bill Sommerfeld wrote:
> On Mon, 2008-08-18 at 13:06 -0700, Tony Nguyen wrote:
>> Hi Darren and all,
>>
>> As part of the Visual Panels project,
>>
>> http://opensolaris.org/os/project/vpanels
>>
>> we're proposing a generic firewall framework for Solaris. The framework 
>> utilizes IPfilter to provide a simple mechanism to configure a firewall 
>> on Solaris systems.
> 
> I'm sorry, I just don't get it.  The mechanisms you're setting up seem
> incompatible with delegated service administration.
> 
> the purpose of a firewall is to establish policies to limit what traffic
> is allowed through a particular network chokepoint.
> 
> composing your policy out of bits and pieces contributed by different
> services which may be administered by different administrators
> (remember, different smf services may be administered by different
> users) without a clear and coherant overall policy author strikes me as
> a disaster waiting to happen unless the global administrator can
> constrain what rules a service administrator can supply.

   Delegated administration is defined at the property-group level, not
   the service level.

   Not only *can* you delegate the ability to administer a service
   without delegating the ability to change its firewall configuration,
   you would actually have to go out of your way to also delegate access
   to the firewall configuration.

   Dave


Reply via email to