On Mon, 27.10.08 22:45, Axel Thimm (Axel.Thimm(a)ATrpms.net) wrote:
On Mon, Oct 27, 2008 at 03:53:30PM -0400, David Zeuthen wrote:
> Hence, if people want to share files using, say, Rhythmbox (and they
> do), they are left with either
> 1. Turning of the firewall
> 2. Configuring iptables(8) or using system-config-firewall
> Now, let me explain to you how RB/Banshee/gnome-user-share works. They
> allocate a random high port number. Now, before you complain that you
> think this in broken you have to understand why this is so.
> The programs have to do this because you may have several sessions or
> instances running. So in general you can't really predict the port
> number (or even range) to use since the user may add new services that
> share stuff on the network.
> So in general 2. won't really work (because you'd have to update it
> dynamically) so users of course resort to 1. Wow, what's that thing
> going out the window? That other useful stuff that we might have
> configured the iptables(8) stack with except for blocking ports.
But dynamical ports are not new to iptables, lots of protocols, be
that rpc, h323 or even p-o-d passive ftp need them and conntrack/pom
rectify the `static firewall' view.
But all those protocols start the connection with a well known port
and then hand things off to a dynamic port. If you use truely random
ports than iptables needs to sense what kind of protocol something is
based on the packet contents. Which security-wise is a joke, and
hence the whole idea makes no sense.
I haven't followed up the latest netfilter developments, but I
there is even a userspace lib for registering such connections. Maybe
RB/mDNS and friends just need a pom `plugin'.
The Linux kernel already has an API for that. It's called listen().
Lennart Poettering Red Hat, Inc.
lennart [at] poettering [dot] net ICQ# 11060553