In general, I think a firewall is the best place to
handle restricting access to services since it’'s a
unified place to control access to your entire
Agreed. A packetfilter/firewall should be used anywayl.
However, we definitely support having useful
security tools for Wildfire. So, the question – is
it more helpful to bind to a certain interface for
the admin console or to restrict access to the admin
console to a set number of IP addresses?
I’‘d either do the first or both. I think it’'s far more easy to bind the admin console to 127.0.0.x and proxy requests (depeding on your firewall rules, the remote ip, the time or phase of the moon) there than adding IPs to a config.
The current way to do that (binding everything to lo and NATing the XMPP things) seems to be far more complex and harder to handle.
We could support both options, but also want to keep
You stated that the current solution is good for 99% of the user. Fine - stick with this default but add the options for the 1% (three guys in this thread already =) ) that need it. Shouldn’'t make it harder for the “just works out of the box” user?
Just my humble opinion,