From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040514 Description of problem: i think the ability to add additional services to the "trusted services" box (without modifying the source code) in system-config-securitylevel would be very useful. my reasons: 1. i realize i could simply add the port number to "other ports:" but i have several obscure ports open on my box and i like the protocol listed next to the port number as it is in the trusted services box (to quickly remind me what each of them is). 2. when disabling the firewall this would avoid erasing the "other ports" i had typed in (requiring me to retype them in when the firewall was re-enabled. Version-Release number of selected component (if applicable): system-config-securitylevel-1.3.13-1 How reproducible: Always Steps to Reproduce: 1.not applicable 2. 3. Additional info:
Paul, I'd like if you ping me when you start to work on this. Thanks.
*** Bug 137259 has been marked as a duplicate of this bug. ***
*** Bug 136800 has been marked as a duplicate of this bug. ***
Paul closed bug 138143 with the comment that the fix for this bug will provide the ability to configure ALL ASPECTS of an iptables-based firewall. Even then, it won't provide what was requested in bug 138143 -- the ability to work with other iptables tools which modify the configuration file, and the ability to make hand edits, both without risking blind overwrite of the configuration file by system-config-firewall.
The end of that last comment should read "system-config-securitylevel" rather than "system-config-firewall". And bug 138143 was closed as WONTFIX.
Daniel - feel free to reopen bug # 138143 as an RFE then
If turning system-config-securitylevel to a full-fledged ipchains configuration tool is not feasible in the near future, at least samba needs to be added to the list of services. To enable samba service with the firewall turned on, multiple lines need to be added to iptables file, but system-config-samba doesn't add them automatically and there's no simple way to do that with system-config-securitylevel.
I'm not sure how much this will help, but I thought a good first step in resolving this bug would be to collect a set of rules for a number of services. In early 2000's (when ipchains were used), I used 'fwup' (http://www.fwup.org) with a great number of preconfigured services. It's never been updated to iptables, but still its list of services and ports to open should be of some use here.
It's true that system-config-securitylevel is supposed to be more simple than a full-fledged firewall config tool. However I have made a variety of improvements that should take care of this issue. First, the firewall can be disabled without forgetting the config, which takes care of that concern. Second, you can enter the port by descriptive name now and see the names when you reload the config. Finally, samba is now supported as a checkbox to take c are of Jungshik's concern.