Firewall settings unworkable
Tim Waugh
twaugh at redhat.com
Thu Oct 7 11:12:50 UTC 2010
On Wed, 2010-10-06 at 19:31 +0100, Richard W.M. Jones wrote:
> Seems quite complex. What's wrong with a directory:
>
> /etc/iptables.d/
>
> where RPMs like libvirt just drop the required additional rules (in a
> separate chain if you like) and restart the iptables service? It's
> low-tech but simple and it's all that libvirt needs.
Other applications need more than that.
For example, when CUPS wants to detect network printers using SNMP, a
query is sent as a UDP packet to the broadcast address(es) from a local
unprivileged port to the remote SNMP port, 161. It needs to be able to
hear replies.
What I was saying in my original post is that there is no simple
iptables rule that can be written today to express that, aside from
simply allowing all UDP packets to unprivileged ports, obviously not
something we want to do.
Ideally the kernel would provide a way to express this using a conntrack
module. Until that time, however, being able to do this would suffice:
* bind() to get a free local unprivileged port
* use D-Bus to tell the firewall to allow UDP sport:161 dport:$port for
a short time
* send query
* listen for responses
* (optionally) use D-Bus to tell the firewall it can discard that rule
now
Until bind() is called, no-one knows what local port to allow UDP
packets in on.
Tim.
*/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20101007/f06c1977/attachment.bin
More information about the devel
mailing list