Bill Sommerfeld wrote:
>> Maybe I should ask, what would you define as being an "overall
>> policy"?
>
> A single coherent source for "what should be allowed on this system"
> which comes from a single origin. You are likely to lose that coherance
> when you take the policy, salami-slice it, and spread it through a bunch
> of service properties.
I think the desired use case for this feature requires two things:
1. An overall policy, specified once by the system administrator, that
describes the maximum set of inbound and outbound network traffic that
is allowed.
2. Individual per-service rules that are automatically added and removed
when the corresponding services are enabled and disabled. These rules
cannot override the restrictions in the overall policy.
In order for the administrator to make meaningful predictions about the
behavior of the system, it's important for the per-service rules to be
subject to the limits prescribed by the overall policy.
After a cursory review of the design proposal, it seems possible to
configure the firewall in a way that obeys these rules. The question is:
Does this design ensure, or at least strongly encourage, a configuration
that does so? If not, it may be too flexible for the intended purpose.
Scott
