<p dir="ltr"><br>
On Dec 9, 2014 12:06 PM, "Chuck Anderson" <<a href="mailto:cra@wpi.edu">cra@wpi.edu</a>> wrote:<br>
><br>
> On Tue, Dec 09, 2014 at 11:52:01AM -0700, Pete Travis wrote:<br>
> > On Dec 9, 2014 11:33 AM, "Chuck Anderson" <<a href="mailto:cra@wpi.edu">cra@wpi.edu</a>> wrote:<br>
> > I should have said "ask firewalld for a port to be opened" - sorry, I<br>
> > thought that would come from the context.<br>
> ><br>
> > Are you saying bind() should be talking to firewalld, via some approval<br>
> > agent? how do we make that happen?<br>
><br>
> My point was that a firewall is superfluous if a program can just ask<br>
> firewalld to poke a hole in the firewall for it automatically, because<br>
> a program can already ask the system to open a listening port for it<br>
> using bind(2) (and listen(2) and accept(2)) when no firewall is<br>
> present.<br>
><br>
> It means that in a world where automatic-hole-punching exists, the<br>
> only use of a firewall on the host is maybe to limit the SCOPE of such<br>
> communication, not whether such communication is allowed at all or<br>
> not. This is where firewall zones come in.<br></p>
<p dir="ltr">Okay, one more thing on the ideal requirements list: firewalld must not blindly approve all requests, there must be some approval mechanism. What would that look like?</p>
<p dir="ltr">--Pete</p>