The dialog has been reworked. It shows in graphic mode. I have added a section called features and moved some stuff from the top of the dialog there.
You can now add a single line comment explaining the purpose of a rule.
The module has an algorithm to order the rules and this works most of the time. It is based on the net-mask, the policy, the interface and so on. A new field called "ordering factor" has been added. This allows you to have a final say on the ordering. The default factor is 50. The is the primary criterion for ordering. Further, the rule list is ordered using this factor when it is displayed.
In a short future, I will add a concept of pre-cooked solutions for fire-walling and this ordering factor will be used to allow mixing of "generated" and "manual" rules.
By default, Linuxconf generates two IP-chain rules (or more sometime) for each rule entered in Linuxconf. It generates a rule "from -> to" and a rule "to -> from".
A new check-box (on by default) limit this behavior. When disabled Linuxconf only generates "from -> to".
This feature is not implemented yet, but the dialog has now two new check-boxes. One in the "from" area and one in the "to" area. It controls whether TCP SYN packet are accepted. They have no effect currently.
An input rule deals with "input interface". The other rules (forward and output) deals with the "output interface". To differentiate those case, the field title change between input rules and the others.
Firewall rules are sometime weak, because the exact interface or host IP number is not known. This is the case with PPP dialout and dialin: One will often use PPP0, guessing that it is the device which will be allocated. This is also the case with "per user" fire-walling.
We are introducing the concept of logical interface and logical hosts. Where you normally enter a host IP or name you can now enter an logical host and the IP number will be lookup-ed into other Linuxconf modules. The same applies to interfaces.
A logical host or interface is presented like this:
The firewall module uses the FWINFO_API inter module API to get the information. If the information is not available then the rule is not generated and a message is entered in the log. Each participating module implements this API and supply the information. So far, the dialout and pppdialin module has been enhanced to support it.
Note that this is the responsibility of those module to trigger the firewall module to install new rules (in the kernel). For example, when a dialout connection is established, the dialout module send a signal to the firewall module and it updates its rules. The dialout module has a check-box just for that.
The new command lines were added also to allow a third party to enable the new rules.
There are the following:
linuxconf --modulemain firewall --resetfw linuxconf --modulemain firewall --setfw
The first disable all rules, the seconds enable the rules.