Scott Rotondo wrote: >> A service is expected to only generate rules relevant to its >> network traffic. > > It would be ideal if the way of expressing service rules made it > impossible to affect other services. I don't think the current syntax > for service rules provides that assurance (and it may not be feasible to > do so), but it would be great if it could.
One thing to keep in mind is that the degree to which different rule sets can conflict which each other is limited by the separation of the firewall context, the definition provided by the service author, and the firewall config, the point of customization provided for the administrator. It doesn't eliminate the problem -- it puts the responsibility of creating a correct rule set in the hands of the service author -- but it does make it difficult for the administrator to accidentally create a configuration where two services are in conflict. Dave
