This is the base problem. Networking and TCP/IP are duly complex. Any workable solution has to reduce the following concepts to a level that can be understood by a laymen without hindering the capabilities of IPTables:On Fri, 1 Aug 2003, Epps, Aaron M. wrote:
PLEASE WRAP YOUR LINES at less than 80 characters per line.
This suggestion is for "Home Users"... If someone's a SysAdmin and you have issues with figuring out Samba & IPTables then you shouldn't be one.
IPTables are enabled by default, how is a user going to know that they have to stop the iptables service in order for Network Browsing to work?
1- multiple interfaces used for different networks(either Internet on one and home network on the other or one used when you are on your work network and the other used when you are on your home network).
2- IP addresses, subnets, masks
3- what ports are used for what services (the names are not always very obvious)
In keeping with my list above, how do you ask a laymen whether it is ok to open these ports and have them fully understand the implications? For example if the computer in question is on a home network with some kind of firewall between them and the Internet then opening these ports will be fine. However, if they simply have a hub sharing their Internet connection and they are paying for multiple IP addresses then they will be attacked almost immediately if they open these ports.Also, I don't think just shutting off IPTables is a suitable solution, and even if they did shut off IPTables how many people do you know that have physical firewalls setup at home? If you also read my note, I suggested prompting the user if they wanted to open these ports, not to automagiclly go ahead an do it without their knowledge.
Maybe a personal firewall approach is needed. Just like it pop-ups a yes/no dialog box for every outgoing or incoming connection such a program could pop-up and ask to allow incoming calls for certain listen ports.I will refer back to my point about explaining to laymen first of all what a "port" is and then what each requested port is used for.
(The moment a program listens on a port an event is triggered)
And then you can decide to allow it from a single address, a network range or decide to allow it on a case by case basis.
This dips heavily into understanding the complexities of TCP/IP network addressing.
That's probably what 'Home Users' would expect anyway. The current iptables firewall from Red Hat is a basic tool and limited in functionality.This statement is just plain wrong. IPTables is a VERY powerful tool. Are you maybe referring to the firewall configuration tool? If so it is sufficiently functional for a home user although using it properly would definitely be beyond a laymen.
-- (¬_ Some days you're the windshield >o) //\ Some days you're the bug... /\\ V_/_ _\_V Charles Bronson
