Scott Rotondo wrote: > Bill Sommerfeld wrote: >>> Maybe I should ask, what would you define as being an "overall >>> policy"? >> >> A single coherent source for "what should be allowed on this system" >> which comes from a single origin. You are likely to lose that coherance >> when you take the policy, salami-slice it, and spread it through a bunch >> of service properties. > > I think the desired use case for this feature requires two things: > > 1. An overall policy, specified once by the system administrator, that > describes the maximum set of inbound and outbound network traffic that > is allowed. > > 2. Individual per-service rules that are automatically added and > removed when the corresponding services are enabled and disabled. > These rules cannot override the restrictions in the overall policy. > > In order for the administrator to make meaningful predictions about > the behavior of the system, it's important for the per-service rules > to be subject to the limits prescribed by the overall policy. > > After a cursory review of the design proposal, it seems possible to > configure the firewall in a way that obeys these rules. The question > is: Does this design ensure, or at least strongly encourage, a > configuration that does so? If not, it may be too flexible for the > intended purpose. > Hi Scott,
The design strongly encourages your described scenario though presented differently. The overall policy is split into two global layers, Global Default and Global Override. - Initially, services are set to inherit Global Default's policy so service specific rules enforces the same policy(block or allow the same set of network entities). This is the preferred and default settings for services. - Administrator can, however, choose to set a different policy for a specific service. This action potentially exposes the system, but only through that service and is a user's conscious decision. - The Global Override allows another set of global rules, overall policy, that takes precedence over the needs of all services. This explicit global override policy makes it clear services' policies are restricted by another overall policy. It's perhaps not the cleanest approach but it's a model easy to understand for our target audience, the casual users. Thanks tony
