![]() ![]() He allows it, and that fixes the problem. Kareem happens to notice, under all the firwall rules, that Cockpit is suggesting he unblock the SMTP port of the mail server. It is an issue with the firewall Billie made a typo earlier in the day. He flips the switch back on, and he cannot contact the mail server. He toggles it off and everything works as expected (at least locally). He decides to test the firewall, to see if a port happens to be blocked. Kareem then switches to the firewall page, sees a bunch of default firewall rules previously set by Billie on the command line. Did Billie change that? There's nothing in the logs that would indicate an issue. His next step in debugging is to check out SELinux. He switches to the networking tab to see that both network interfaces (internal and external) are up. Kareem logs in to Cockpit to see if the services are running. Kareem doesn't know the complexities of iptables, but wants to figure out what Billie (who thinks she knows iptables pretty well) did and try to fix the problem. Too bad Billie went away for the evening, leaving Kareem to clean up her mess. He knows earlier in the day, his co-worker Billie was messing around with network settings on their mailserver. Kareem is a second-string admin at a paper factory. Summary: Disable/enable firewall for debugging purposes. For the first pass, I suggest we concentrate on cases > 6%, and add the rest in separate PRs later. We should focus our design mainly on the percentage of cases. Support document percentages refer to a subject that is either more complex or has a lot of options to write about (example: a large list of ports for different services). Percentage of cases are actual customers with issues. ![]() Looking at the support request percentages versus suport documentation percentages, it's clear that we need to make sure the firewall is easy to unstand, and that it's simple to unblock ports. Unblock non-ports (ICMP, multicast, etc.) Customer issues (firewall related) % of Cases Don't complicate the UI by exposing every possible featureĪndreas collected data based on Red Hat customer support information and Garrett categorized each item.Don't include UI to be a full router this is for server configuration.Don't handle roaming networks (such as laptop on various wifi access points) assume servers are in a fixed location.The first step would include goals 1 - 3. Replace system-config-firewall, but not 1:1 - make it easier to use (overarching goal)Īs firewalling is complex, we'll tackle this in stages.Have different permissions on different network interfaces (simplified zones).Show an easy-to-understand overview of active firewall rules.Open ports with ease (as they're blocked by default).(I suppose they should not be able to be disabled?) Cockpit requires port 22 (SSH) and also listens on port 9090, so we'll already have to start with rule exceptions.Primary goal: Make firewalls simple to set up and maintain ![]()
0 Comments
Leave a Reply. |