Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
11:34 p.m.
Hi,
W dniu 3 grudnia 2010 09:14 użytkownik Michał Piotrowski
<mkkp4x4(a)gmail.com> napisał:
[..]
What services are installed by default when installong form Live
GNOME/KDE/etc and DVD?
Ok, let's ask the question differently - what services should be run
by default to provide working system for desktop user?
IMO ssh can be off by default and should be started only if user tries
to connect over port 22.
Do we really need to install iptables/ip6tables by default (it's in core group)?
--
Best regards,
Michal
Sent from my iToaster
3:43 a.m.
Hi,
On 12/06/2010 06:34 AM, Michał Piotrowski wrote:
Hi,
W dniu 3 grudnia 2010 09:14 użytkownik Michał Piotrowski
<mkkp4x4(a)gmail.com> napisał:
[..]
> What services are installed by default when installong form Live
> GNOME/KDE/etc and DVD?
Ok, let's ask the question differently - what services should be run
by default to provide working system for desktop user?
IMO ssh can be off by default and should be started only if user tries
to connect over port 22.
Do we really need to install iptables/ip6tables by default (it's in core group)?
Do we really need a firewall configured ?
Yes we do because of <blink><b>SECURITY</b></blink>
I'm sorry but asking if we really need iptables by default is just stupid!
Regards,
Hans
3:54 a.m.
W dniu 6 grudnia 2010 10:43 użytkownik Hans de Goede
<hdegoede(a)redhat.com> napisał:
Hi,
On 12/06/2010 06:34 AM, Michał Piotrowski wrote:
> Hi,
>
> W dniu 3 grudnia 2010 09:14 użytkownik Michał Piotrowski
> <mkkp4x4(a)gmail.com> napisał:
> [..]
>> What services are installed by default when installong form Live
>> GNOME/KDE/etc and DVD?
>
> Ok, let's ask the question differently - what services should be run
> by default to provide working system for desktop user?
>
> IMO ssh can be off by default and should be started only if user tries
> to connect over port 22.
>
> Do we really need to install iptables/ip6tables by default (it's in core group)?
>
Do we really need a firewall configured ?
Yes we do because of <blink><b>SECURITY</b></blink>
I'm sorry but asking if we really need iptables by default is just stupid!
LOL :)
There are no stupid questions :)
On most desktop systems firewall is not needed. Many users do not even
know how to configure it. In fact I disable it in most of my systems,
because there is no real use for it. So I asked a simple question
whether there is a need to install iptables by default?
Your answer is not satisfactory for me - because not configured
firewall has nothing to do with security. In fact, it can only bring
false sense of security.
Regards,
Hans
--
devel mailing list
devel(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
--
Best regards,
Michal
Sent from my iToaster
10:04 a.m.
New subject: Firewall
On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote:
On most desktop systems firewall is not needed. Many users do not
even
know how to configure it. In fact I disable it in most of my systems,
because there is no real use for it. So I asked a simple question
whether there is a need to install iptables by default?
Your answer is not satisfactory for me - because not configured
firewall has nothing to do with security. In fact, it can only bring
false sense of security.
I believe the default is to block incoming connections except for a few
services. This is good if you are running a sloppily written
single-user server that binds to the wildcard address. The Haskell
Scion server fell in this category as of August 2009; I didn't look to
see what a remote user might be able to do to me by connecting to it.
Yes, the proper way to avoid problems is to bind to localhost, but the
firewall can be nice.
--
Matt
12:04 p.m.
New subject: Firewall
On Mon, Dec 06, 2010 at 11:04:39AM -0500, Matt McCutchen wrote:
On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote:
> On most desktop systems firewall is not needed. Many users do not even
> know how to configure it. In fact I disable it in most of my systems,
> because there is no real use for it. So I asked a simple question
> whether there is a need to install iptables by default?
>
> Your answer is not satisfactory for me - because not configured
> firewall has nothing to do with security. In fact, it can only bring
> false sense of security.
I believe the default is to block incoming connections except for a few
services. This is good if you are running a sloppily written
single-user server that binds to the wildcard address. The Haskell
Scion server fell in this category as of August 2009; I didn't look to
see what a remote user might be able to do to me by connecting to it.
Yes, the proper way to avoid problems is to bind to localhost, but the
firewall can be nice.
It would be nice if the firewall automatically followed services that
I have enabled and disabled. eg. If I explicitly enable the
webserver, it should open the corresponding port(s).
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://et.redhat.com/~rjones/virt-df/
12:07 p.m.
New subject: Firewall
Richard W.M. Jones píše v Po 06. 12. 2010 v 18:04 +0000:
On Mon, Dec 06, 2010 at 11:04:39AM -0500, Matt McCutchen wrote:
> On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote:
> > On most desktop systems firewall is not needed. Many users do not even
> > know how to configure it. In fact I disable it in most of my systems,
> > because there is no real use for it. So I asked a simple question
> > whether there is a need to install iptables by default?
> >
> > Your answer is not satisfactory for me - because not configured
> > firewall has nothing to do with security. In fact, it can only bring
> > false sense of security.
>
> I believe the default is to block incoming connections except for a few
> services. This is good if you are running a sloppily written
> single-user server that binds to the wildcard address. The Haskell
> Scion server fell in this category as of August 2009; I didn't look to
> see what a remote user might be able to do to me by connecting to it.
> Yes, the proper way to avoid problems is to bind to localhost, but the
> firewall can be nice.
It would be nice if the firewall automatically followed services that
I have enabled and disabled. eg. If I explicitly enable the
webserver, it should open the corresponding port(s).
Just disable the firewall and
you'll get pretty much equivalent
functionality.
Mirek
1 p.m.
New subject: Firewall
On 12/06/2010 10:07 AM, Miloslav Trmač wrote:
Richard W.M. Jones píše v Po 06. 12. 2010 v 18:04 +0000:
> On Mon, Dec 06, 2010 at 11:04:39AM -0500, Matt McCutchen wrote:
>> On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote:
>>> On most desktop systems firewall is not needed. Many users do not even
>>> know how to configure it. In fact I disable it in most of my systems,
>>> because there is no real use for it. So I asked a simple question
>>> whether there is a need to install iptables by default?
>>>
>>> Your answer is not satisfactory for me - because not configured
>>> firewall has nothing to do with security. In fact, it can only bring
>>> false sense of security.
>>
>> I believe the default is to block incoming connections except for a few
>> services. This is good if you are running a sloppily written
>> single-user server that binds to the wildcard address. The Haskell
>> Scion server fell in this category as of August 2009; I didn't look to
>> see what a remote user might be able to do to me by connecting to it.
>> Yes, the proper way to avoid problems is to bind to localhost, but the
>> firewall can be nice.
>
> It would be nice if the firewall automatically followed services that
> I have enabled and disabled. eg. If I explicitly enable the
> webserver, it should open the corresponding port(s).
Just disable the firewall and you'll get pretty much equivalent
functionality.
Mirek
Right, I always struggle with this. If you allow services that bind to
a port once enabled to have the port open, then what good does it do to
have the port closed?
I really wonder what real purpose a firewall serves on these machines.
Once you get past the "ZOMG WE NEED A FIREWALL"....
I can somewhat see a firewall trying to protect a system from a user
process that got launched without the user being aware and binding to a
high port for nefarious reasons, but how do you balance that with the
legitimate applications that bind to high ports?
--
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating
1:05 p.m.
New subject: Firewall
On Mon, Dec 06, 2010 at 11:00:53AM -0800, Jesse Keating wrote:
On 12/06/2010 10:07 AM, Miloslav Trmač wrote:
> Richard W.M. Jones píše v Po 06. 12. 2010 v 18:04 +0000:
>> On Mon, Dec 06, 2010 at 11:04:39AM -0500, Matt McCutchen wrote:
>>> On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote:
>>>> On most desktop systems firewall is not needed. Many users do not even
>>>> know how to configure it. In fact I disable it in most of my systems,
>>>> because there is no real use for it. So I asked a simple question
>>>> whether there is a need to install iptables by default?
>>>>
>>>> Your answer is not satisfactory for me - because not configured
>>>> firewall has nothing to do with security. In fact, it can only bring
>>>> false sense of security.
>>>
>>> I believe the default is to block incoming connections except for a few
>>> services. This is good if you are running a sloppily written
>>> single-user server that binds to the wildcard address. The Haskell
>>> Scion server fell in this category as of August 2009; I didn't look to
>>> see what a remote user might be able to do to me by connecting to it.
>>> Yes, the proper way to avoid problems is to bind to localhost, but the
>>> firewall can be nice.
>>
>> It would be nice if the firewall automatically followed services that
>> I have enabled and disabled. eg. If I explicitly enable the
>> webserver, it should open the corresponding port(s).
> Just disable the firewall and you'll get pretty much equivalent
> functionality.
> Mirek
>
Right, I always struggle with this. If you allow services that bind to
a port once enabled to have the port open, then what good does it do to
have the port closed?
I really wonder what real purpose a firewall serves on these machines.
Once you get past the "ZOMG WE NEED A FIREWALL"....
I can somewhat see a firewall trying to protect a system from a user
process that got launched without the user being aware and binding to a
high port for nefarious reasons, but how do you balance that with the
legitimate applications that bind to high ports?
The other benefit would be if the user only intended the
service to be accessible to localhost, or a UNIX domain
socket but for some reason screwed up their service's
config & opened it to the world.
Daniel
1:15 p.m.
New subject: Firewall
On 12/06/2010 11:05 AM, Daniel P. Berrange wrote:
The other benefit would be if the user only intended the
service to be accessible to localhost, or a UNIX domain
socket but for some reason screwed up their service's
config & opened it to the world.
I could buy this if we actually alerted users to this, when in fact we
/disable/ logging in the default firewall set, so your packets just
magically disappear leaving the user scratching their head as to why
the hell things aren't working.
--
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating
1:27 p.m.
New subject: Firewall
On 12/06/2010 08:15 PM, Jesse Keating wrote:
On 12/06/2010 11:05 AM, Daniel P. Berrange wrote:
> The other benefit would be if the user only intended the
> service to be accessible to localhost, or a UNIX domain
> socket but for some reason screwed up their service's
> config& opened it to the world.
>
I could buy this if we actually alerted users to this, when in fact we
/disable/ logging in the default firewall set, so your packets just
magically disappear leaving the user scratching their head as to why
the hell things aren't working.
Thomas Woerner (iptables maintainer) is currently working on a prototype
for basically the next generation of firewalling. He'll put up the code
later this week with docu and all that shizzle as he just finished the
first prototype of it a week ago. It's by far not complete yet, but
it'll show enough of what you can do with it with some nice features and
useful stuff.
Basically it's a statefull firewall daemon now that allows us to support
and implement a lot of those features which have been so critically
missing in our old way of doing firewalls (aka static crap) and
basically impossible to do there. One example is libvirt and how it has
to change firewall rules dynamically depending on whether a guest is
started or shut down, and those rules should survive a restart of the
firewall (which currently they don't and can't). Roughly speaking it's a
bit similar with the switch from our static initscripts for network
configuration to NetworkManager and how it deals with network interfaces
nowadays.
A bit more initial info can already be found here:
https://fedoraproject.org/wiki/SystemConfig/firewall
but he'll send out a much more detailed description of what the new
firewalld will be able to do and what problems we can solve with it.
One thing is e.g notifications to users when some service/app requests
to open a port. First version won't have network zones yet, but he and
Dan Williams are working on that for the next generation which will then
basically allow it to let the user decide once for each
interface/connection what should happen with it and never be bothered
with it afterwards.
Thanks & regards, Phil
--
Philipp Knirsch | Tel.: +49-711-96437-470
Supervisor Core Services | Fax.: +49-711-96437-111
Red Hat GmbH | Email: Phil Knirsch <pknirsch(a)redhat.com>
Hauptstaetterstr. 58 | Web: http://www.redhat.com/
D-70178 Stuttgart, Germany
Motd: You're only jealous cos the little penguins are talking to me.
1:29 p.m.
New subject: Firewall
On 12/06/2010 11:27 AM, Phil Knirsch wrote:
On 12/06/2010 08:15 PM, Jesse Keating wrote:
> On 12/06/2010 11:05 AM, Daniel P. Berrange wrote:
>> The other benefit would be if the user only intended the
>> service to be accessible to localhost, or a UNIX domain
>> socket but for some reason screwed up their service's
>> config& opened it to the world.
>>
>
> I could buy this if we actually alerted users to this, when in fact we
> /disable/ logging in the default firewall set, so your packets just
> magically disappear leaving the user scratching their head as to why
> the hell things aren't working.
>
Thomas Woerner (iptables maintainer) is currently working on a prototype
for basically the next generation of firewalling. He'll put up the code
later this week with docu and all that shizzle as he just finished the
first prototype of it a week ago. It's by far not complete yet, but
it'll show enough of what you can do with it with some nice features and
useful stuff.
Basically it's a statefull firewall daemon now that allows us to support
and implement a lot of those features which have been so critically
missing in our old way of doing firewalls (aka static crap) and
basically impossible to do there. One example is libvirt and how it has
to change firewall rules dynamically depending on whether a guest is
started or shut down, and those rules should survive a restart of the
firewall (which currently they don't and can't). Roughly speaking it's a
bit similar with the switch from our static initscripts for network
configuration to NetworkManager and how it deals with network interfaces
nowadays.
A bit more initial info can already be found here:
https://fedoraproject.org/wiki/SystemConfig/firewall
but he'll send out a much more detailed description of what the new
firewalld will be able to do and what problems we can solve with it.
One thing is e.g notifications to users when some service/app requests
to open a port. First version won't have network zones yet, but he and
Dan Williams are working on that for the next generation which will then
basically allow it to let the user decide once for each
interface/connection what should happen with it and never be bothered
with it afterwards.
Thanks & regards, Phil
Sounds interesting, thanks Phil!
--
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating
1:53 p.m.
New subject: Firewall
Phil Knirsch (pknirsch(a)redhat.com) said:
Basically it's a statefull firewall daemon now that allows us to
support
and implement a lot of those features which have been so critically
missing in our old way of doing firewalls (aka static crap) and
basically impossible to do there. One example is libvirt and how it has
to change firewall rules dynamically depending on whether a guest is
started or shut down, and those rules should survive a restart of the
firewall (which currently they don't and can't). Roughly speaking it's a
bit similar with the switch from our static initscripts for network
configuration to NetworkManager and how it deals with network interfaces
nowadays.
Sounds good....
One thing is e.g notifications to users when some service/app
requests
to open a port. First version won't have network zones yet, but he and
Dan Williams are working on that for the next generation which will then
basically allow it to let the user decide once for each
interface/connection what should happen with it and never be bothered
with it afterwards.
... but this seems absolutely wrong. The last thing we want is to be
pestering the user with information they may not understand, and are not
fully capable of acting on. Take the constant complaints about
SETroubleshoot, or the constant mocking of Windows Vista's security popups,
for example.
Bill
1:59 p.m.
New subject: Firewall
On 12/06/2010 08:53 PM, Bill Nottingham wrote:
Phil Knirsch (pknirsch(a)redhat.com) said:
> Basically it's a statefull firewall daemon now that allows us to support
> and implement a lot of those features which have been so critically
> missing in our old way of doing firewalls (aka static crap) and
> basically impossible to do there. One example is libvirt and how it has
> to change firewall rules dynamically depending on whether a guest is
> started or shut down, and those rules should survive a restart of the
> firewall (which currently they don't and can't). Roughly speaking it's a
> bit similar with the switch from our static initscripts for network
> configuration to NetworkManager and how it deals with network interfaces
> nowadays.
Sounds good....
> One thing is e.g notifications to users when some service/app requests
> to open a port. First version won't have network zones yet, but he and
> Dan Williams are working on that for the next generation which will then
> basically allow it to let the user decide once for each
> interface/connection what should happen with it and never be bothered
> with it afterwards.
... but this seems absolutely wrong. The last thing we want is to be
pestering the user with information they may not understand, and are not
fully capable of acting on. Take the constant complaints about
SETroubleshoot, or the constant mocking of Windows Vista's security popups,
for example.
I agree that this is a problem but it would be nice if firewalld could
still keep track of this information and make it available on demand
(basically a log). Maybe the notification could be based on that and only
pop up if configured to do so by the users who care.
Regards,
Dennis
2:02 p.m.
New subject: Firewall
On 12/06/2010 08:59 PM, Dennis Jacobfeuerborn wrote:
On 12/06/2010 08:53 PM, Bill Nottingham wrote:
> Phil Knirsch (pknirsch(a)redhat.com) said:
>> Basically it's a statefull firewall daemon now that allows us to support
>> and implement a lot of those features which have been so critically
>> missing in our old way of doing firewalls (aka static crap) and
>> basically impossible to do there. One example is libvirt and how it has
>> to change firewall rules dynamically depending on whether a guest is
>> started or shut down, and those rules should survive a restart of the
>> firewall (which currently they don't and can't). Roughly speaking
it's a
>> bit similar with the switch from our static initscripts for network
>> configuration to NetworkManager and how it deals with network interfaces
>> nowadays.
>
> Sounds good....
>
>> One thing is e.g notifications to users when some service/app requests
>> to open a port. First version won't have network zones yet, but he and
>> Dan Williams are working on that for the next generation which will then
>> basically allow it to let the user decide once for each
>> interface/connection what should happen with it and never be bothered
>> with it afterwards.
>
> ... but this seems absolutely wrong. The last thing we want is to be
> pestering the user with information they may not understand, and are not
> fully capable of acting on. Take the constant complaints about
> SETroubleshoot, or the constant mocking of Windows Vista's security popups,
> for example.
I agree that this is a problem but it would be nice if firewalld could
still keep track of this information and make it available on demand
(basically a log). Maybe the notification could be based on that and only
pop up if configured to do so by the users who care.
Regards,
Dennis
Aye, thats a good idea. And easily doable.
Thanks & regards, Phil
--
Philipp Knirsch | Tel.: +49-711-96437-470
Supervisor Core Services | Fax.: +49-711-96437-111
Red Hat GmbH | Email: Phil Knirsch <pknirsch(a)redhat.com>
Hauptstaetterstr. 58 | Web: http://www.redhat.com/
D-70178 Stuttgart, Germany
Motd: You're only jealous cos the little penguins are talking to me.
2:01 p.m.
New subject: Firewall
On 12/06/2010 08:53 PM, Bill Nottingham wrote:
Phil Knirsch (pknirsch(a)redhat.com) said:
> Basically it's a statefull firewall daemon now that allows us to support
> and implement a lot of those features which have been so critically
> missing in our old way of doing firewalls (aka static crap) and
> basically impossible to do there. One example is libvirt and how it has
> to change firewall rules dynamically depending on whether a guest is
> started or shut down, and those rules should survive a restart of the
> firewall (which currently they don't and can't). Roughly speaking it's a
> bit similar with the switch from our static initscripts for network
> configuration to NetworkManager and how it deals with network interfaces
> nowadays.
Sounds good....
> One thing is e.g notifications to users when some service/app requests
> to open a port. First version won't have network zones yet, but he and
> Dan Williams are working on that for the next generation which will then
> basically allow it to let the user decide once for each
> interface/connection what should happen with it and never be bothered
> with it afterwards.
... but this seems absolutely wrong. The last thing we want is to be
pestering the user with information they may not understand, and are not
fully capable of acting on. Take the constant complaints about
SETroubleshoot, or the constant mocking of Windows Vista's security popups,
for example.
Bill
Ah, don't worry, this is just an example what you could do with it. What
and how we use it later on, especially in a GUI environment is a matter
of obviously sane defaults. It's just right now one of the easiest
examples to demonstrate the event based system the firewalld is using
where you can basically hook into dbus and listen for firewall changes.
It's all about providing the necessary framework at this point to later
on sanely be able to do what we need to do in all kinds of environments
with firewalls.
And specifically for the Desktop case you, me and the desktop team very
opposed to those kinds of popups with cryptic firewall info or questions
(and rightly so as it unnecessarily confuses the average user and
doesn't offer and value == bad user experience). So that's definitely
something that will be disabled by default and is only in there now for
demonstration purposes.
Thanks & regards, Phil
--
Philipp Knirsch | Tel.: +49-711-96437-470
Supervisor Core Services | Fax.: +49-711-96437-111
Red Hat GmbH | Email: Phil Knirsch <pknirsch(a)redhat.com>
Hauptstaetterstr. 58 | Web: http://www.redhat.com/
D-70178 Stuttgart, Germany
Motd: You're only jealous cos the little penguins are talking to me.
6:41 p.m.
New subject: Firewall
On Mon, 2010-12-06 at 14:53 -0500, Bill Nottingham wrote:
<snip>
> One thing is e.g notifications to users when some service/app
requests
> to open a port. First version won't have network zones yet, but he and
> Dan Williams are working on that for the next generation which will then
> basically allow it to let the user decide once for each
> interface/connection what should happen with it and never be bothered
> with it afterwards.
... but this seems absolutely wrong. The last thing we want is to be
pestering the user with information they may not understand, and are not
fully capable of acting on. Take the constant complaints about
SETroubleshoot, or the constant mocking of Windows Vista's security popups,
for example.
Actually, this is something that Desktop people can live with, as long
as the desktop has the final word on whether or not to display the
questions and how to present them (but that would allow us to answer the
simple questions of "are you at home" and "do you have want share your
dubious music/fleshy moving pictures when at the internet cafe").
2:08 p.m.
New subject: Firewall
On Mon, Dec 06, 2010 at 08:27:00PM +0100, Phil Knirsch wrote:
Basically it's a statefull firewall daemon now that allows us to
support
and implement a lot of those features which have been so critically
Does this *really* need to be implemented as yet another constantly-running
daemon? Because by its nature, iptables already maintains its state, and it
seems unnecessary to have another program running in userspace to do the
same thing.
--
Matthew Miller <mattdm(a)mattdm.org>
Senior Systems Architect -- Instructional & Research Computing Services
Harvard School of Engineering & Applied Sciences
3:50 p.m.
New subject: Firewall
On Mon, Dec 06, 2010 at 03:08:46PM -0500, Matthew Miller wrote:
On Mon, Dec 06, 2010 at 08:27:00PM +0100, Phil Knirsch wrote:
> Basically it's a statefull firewall daemon now that allows us to support
> and implement a lot of those features which have been so critically
Does this *really* need to be implemented as yet another constantly-running
daemon? Because by its nature, iptables already maintains its state, and it
seems unnecessary to have another program running in userspace to do the
same thing.
+1
Still not seeing how /etc/iptables.d wouldn't work ...
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
New in Fedora 11: Fedora Windows cross-compiler. Compile Windows
programs, test, and build Windows installers. Over 70 libraries supprt'd
http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw
3:50 a.m.
New subject: Firewall
On Mon, 2010-12-06 at 21:50 +0000, Richard W.M. Jones wrote:
Still not seeing how /etc/iptables.d wouldn't work ...
Here is how:
When I ask CUPS for a list of network printers, it runs the backends
in /usr/lib/cups/backend. One of those is /usr/lib/cups/backend/snmp,
which:
a) binds to a local unprivileged UDP port
b) sends a broadcast SNMP request
c) listens for (unicast) responses to that request
We don't hear any of those responses because they are not recognised as
"related" by the kernel. The iptables rules drop them.
If the CUPS snmp backend could say to "the firewall", "hey, please allow
responses on this port I've got for the next few seconds" -- which can
be controlled using PolicyKit -- then this network discovery would
finally work.
There's no way to know the local UDP port in advance
so /etc/iptables.d-like systems all fail here.
Tim.
*/
8:36 a.m.
New subject: Firewall
Once upon a time, Tim Waugh <twaugh(a)redhat.com> said:
When I ask CUPS for a list of network printers, it runs the backends
in /usr/lib/cups/backend. One of those is /usr/lib/cups/backend/snmp,
which:
a) binds to a local unprivileged UDP port
b) sends a broadcast SNMP request
c) listens for (unicast) responses to that request
We don't hear any of those responses because they are not recognised as
"related" by the kernel. The iptables rules drop them.
If the CUPS snmp backend could say to "the firewall", "hey, please allow
responses on this port I've got for the next few seconds" -- which can
be controlled using PolicyKit -- then this network discovery would
finally work.
Congrats, you have re-invented UPnP, although a local-only version
maybe (not that I think that is necessarily a bad thing).
--
Chris Adams <cmadams(a)hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
9:24 a.m.
New subject: Firewall
Chris Adams (cmadams(a)hiwaay.net) said:
> a) binds to a local unprivileged UDP port
> b) sends a broadcast SNMP request
> c) listens for (unicast) responses to that request
>
> We don't hear any of those responses because they are not recognised as
> "related" by the kernel. The iptables rules drop them.
>
> If the CUPS snmp backend could say to "the firewall", "hey, please
allow
> responses on this port I've got for the next few seconds" -- which can
> be controlled using PolicyKit -- then this network discovery would
> finally work.
Congrats, you have re-invented UPnP, although a local-only version
maybe (not that I think that is necessarily a bad thing).
I could be wrong, but I'd guess that any SNMP implementation probably
predates UPnP by a good bit.
Bill
9:27 a.m.
New subject: Firewall
Once upon a time, Bill Nottingham <notting(a)redhat.com> said:
Chris Adams (cmadams(a)hiwaay.net) said:
> > a) binds to a local unprivileged UDP port
> > b) sends a broadcast SNMP request
> > c) listens for (unicast) responses to that request
> >
> > We don't hear any of those responses because they are not recognised as
> > "related" by the kernel. The iptables rules drop them.
> >
> > If the CUPS snmp backend could say to "the firewall", "hey,
please allow
> > responses on this port I've got for the next few seconds" -- which
can
> > be controlled using PolicyKit -- then this network discovery would
> > finally work.
>
> Congrats, you have re-invented UPnP, although a local-only version
> maybe (not that I think that is necessarily a bad thing).
I could be wrong, but I'd guess that any SNMP implementation probably
predates UPnP by a good bit.
Oh yeah, that's not what I meant. I meant the "daemon needs to notify
firewall of temporary change" mechanism is not a new requirement. UPnP
may not be the best way of doing that, but it would probably be better
to implement that for this kind of thing, rather than re-invent the
wheel.
--
Chris Adams <cmadams(a)hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
5:34 p.m.
New subject: Firewall
Chris Adams wrote:
Congrats, you have re-invented UPnP, although a local-only version
maybe (not that I think that is necessarily a bad thing).
Hmmm, indeed, KDE is moving towards using UPnP for more and more things,
it'd be nice if it were used throughout Fedora, or at least supported by
whatever firewall controlling system will be the default.
Of course, it would still be a system-level policy decision whether to allow
UPnP, but support for it would be nice.
Kevin Kofler
9:28 a.m.
New subject: Firewall
On Tue, Dec 07, 2010 at 09:50:22AM +0000, Tim Waugh wrote:
On Mon, 2010-12-06 at 21:50 +0000, Richard W.M. Jones wrote:
> Still not seeing how /etc/iptables.d wouldn't work ...
Here is how:
When I ask CUPS for a list of network printers, it runs the backends
in /usr/lib/cups/backend. One of those is /usr/lib/cups/backend/snmp,
which:
a) binds to a local unprivileged UDP port
b) sends a broadcast SNMP request
c) listens for (unicast) responses to that request
We don't hear any of those responses because they are not recognised as
"related" by the kernel. The iptables rules drop them.
If the CUPS snmp backend could say to "the firewall", "hey, please allow
responses on this port I've got for the next few seconds" -- which can
be controlled using PolicyKit -- then this network discovery would
finally work.
There's no way to know the local UDP port in advance
so /etc/iptables.d-like systems all fail here.
Does firewalld solve this? Surely a solution to this is going to have
to live in a stateful extension to iptables in the kernel, or a fix to
the 'related' packets function?
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://et.redhat.com/~rjones/virt-top
9:52 a.m.
New subject: Firewall
On 12/07/2010 04:28 PM, Richard W.M. Jones wrote:
On Tue, Dec 07, 2010 at 09:50:22AM +0000, Tim Waugh wrote:
> On Mon, 2010-12-06 at 21:50 +0000, Richard W.M. Jones wrote:
>> Still not seeing how /etc/iptables.d wouldn't work ...
>
> Here is how:
>
> When I ask CUPS for a list of network printers, it runs the backends
> in /usr/lib/cups/backend. One of those is /usr/lib/cups/backend/snmp,
> which:
>
> a) binds to a local unprivileged UDP port
> b) sends a broadcast SNMP request
> c) listens for (unicast) responses to that request
>
> We don't hear any of those responses because they are not recognised as
> "related" by the kernel. The iptables rules drop them.
>
> If the CUPS snmp backend could say to "the firewall", "hey, please
allow
> responses on this port I've got for the next few seconds" -- which can
> be controlled using PolicyKit -- then this network discovery would
> finally work.
>
> There's no way to know the local UDP port in advance
> so /etc/iptables.d-like systems all fail here.
Does firewalld solve this? Surely a solution to this is going to have
to live in a stateful extension to iptables in the kernel, or a fix to
the 'related' packets function?
Rich.
I'm pretty sure it was one of the things that Thomas was looking into
together with Tim as that has been one of the things that just didn't
properly work out of the box for cups and printer discovery. I'm not
exactly sure about how they planed to fix it though, i'd need to double
check with him.
Thanks & regards, Phil
--
Philipp Knirsch | Tel.: +49-711-96437-470
Supervisor Core Services | Fax.: +49-711-96437-111
Red Hat GmbH | Email: Phil Knirsch <pknirsch(a)redhat.com>
Hauptstaetterstr. 58 | Web: http://www.redhat.com/
D-70178 Stuttgart, Germany
Motd: You're only jealous cos the little penguins are talking to me.
10:18 a.m.
New subject: Firewall
On Tue, Dec 07, 2010 at 09:50:22AM +0000, Tim Waugh wrote:
If the CUPS snmp backend could say to "the firewall",
"hey, please allow
responses on this port I've got for the next few seconds" -- which can
be controlled using PolicyKit -- then this network discovery would
finally work.
Is there a compelling reason for this not to be:
- cups snmp backend says to "the firewall", "hey, please allow
responses on this port I've got"
- cups snmp backend listens for responses until timeout
- cups snmp backend says to "the firewall", "hey, I'm done now.
thanks!"
That seems more helpful than "a few seconds" anyway. And worst case is that
the snmp backend crashes or otherwise forgets to remove its rule, which
shouldn't be terribly severe since then it won't be listening, either. Some
other point the the cups startup/stop process could make sure any such
leftover rules are cleared just to be sure.
I have no problem with the mechanism for talking to the firewall being some
PolicyKit-enabled helper program. I just don't see a strong argument for it
being a daemon.
--
Matthew Miller <mattdm(a)mattdm.org>
Senior Systems Architect -- Instructional & Research Computing Services
Harvard School of Engineering & Applied Sciences
4:21 a.m.
New subject: Firewall
On Tue, 2010-12-07 at 11:18 -0500, Matthew Miller wrote:
Is there a compelling reason for this not to be:
- cups snmp backend says to "the firewall", "hey, please allow
responses on this port I've got"
- cups snmp backend listens for responses until timeout
- cups snmp backend says to "the firewall", "hey, I'm done now.
thanks!"
That seems more helpful than "a few seconds" anyway. And worst case is that
the snmp backend crashes or otherwise forgets to remove its rule, which
shouldn't be terribly severe since then it won't be listening, either. Some
other point the the cups startup/stop process could make sure any such
leftover rules are cleared just to be sure.
Well, it could be done that way. The reason I didn't suggest that
originally was that CUPS has to kill backends if they take too long, so
it would seem quite likely that stale rules would get left around in
some instances if they required explicit revocation.
In the worst case you have a random unprivileged UDP port open --
there's nothing to associate it with SNMP, or the CUPS snmp backend.
The backend won't be listening on it, but some other process may well
choose that port later on.
I have no problem with the mechanism for talking to the firewall
being some
PolicyKit-enabled helper program. I just don't see a strong argument for it
being a daemon.
With D-Bus object activation, maybe it doesn't need to be running all
the time (e.g. as with the current system-config-firewall D-Bus
service)? I'm not sure as I haven't seen the prototype yet.
Tim.
*/
1:40 p.m.
New subject: Firewall
On Mon, Dec 06, 2010 at 11:15:37AM -0800, Jesse Keating wrote:
On 12/06/2010 11:05 AM, Daniel P. Berrange wrote:
> The other benefit would be if the user only intended the
> service to be accessible to localhost, or a UNIX domain
> socket but for some reason screwed up their service's
> config & opened it to the world.
>
I could buy this if we actually alerted users to this, when in fact we
/disable/ logging in the default firewall set, so your packets just
magically disappear leaving the user scratching their head as to why
the hell things aren't working.
Yes, enabling logging of packets really helps to track down
firewall misconfiguration.
What we really lack is good visibility for n00bs. Sure you can do
'netstat -anp' to show open ports and (if you're more of an expert
than me) look at iptables to see what's wrong, but having nice GUI
tools to display this information would be better.
(No, I'm not volunteering to write them ...)
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
New in Fedora 11: Fedora Windows cross-compiler. Compile Windows
programs, test, and build Windows installers. Over 70 libraries supprt'd
http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw
1:43 p.m.
New subject: Firewall
On 12/06/2010 08:40 PM, Richard W.M. Jones wrote:
On Mon, Dec 06, 2010 at 11:15:37AM -0800, Jesse Keating wrote:
> On 12/06/2010 11:05 AM, Daniel P. Berrange wrote:
>> The other benefit would be if the user only intended the
>> service to be accessible to localhost, or a UNIX domain
>> socket but for some reason screwed up their service's
>> config& opened it to the world.
>>
>
> I could buy this if we actually alerted users to this, when in fact we
> /disable/ logging in the default firewall set, so your packets just
> magically disappear leaving the user scratching their head as to why
> the hell things aren't working.
Yes, enabling logging of packets really helps to track down
firewall misconfiguration.
What we really lack is good visibility for n00bs. Sure you can do
'netstat -anp' to show open ports and (if you're more of an expert
than me) look at iptables to see what's wrong, but having nice GUI
tools to display this information would be better.
(No, I'm not volunteering to write them ...)
Rich.
Thats actually a really nice idea we could tackle with the firewall
stuff Thomas is working on in the future.
added_to_feature_list++ :)
Thanks & regards, Phil
--
Philipp Knirsch | Tel.: +49-711-96437-470
Supervisor Core Services | Fax.: +49-711-96437-111
Red Hat GmbH | Email: Phil Knirsch <pknirsch(a)redhat.com>
Hauptstaetterstr. 58 | Web: http://www.redhat.com/
D-70178 Stuttgart, Germany
Motd: You're only jealous cos the little penguins are talking to me.
2:01 p.m.
New subject: Firewall
On 12/06/2010 08:43 PM, Phil Knirsch wrote:
On 12/06/2010 08:40 PM, Richard W.M. Jones wrote:
> On Mon, Dec 06, 2010 at 11:15:37AM -0800, Jesse Keating wrote:
>> On 12/06/2010 11:05 AM, Daniel P. Berrange wrote:
>>> The other benefit would be if the user only intended the
>>> service to be accessible to localhost, or a UNIX domain
>>> socket but for some reason screwed up their service's
>>> config& opened it to the world.
>>>
>>
>> I could buy this if we actually alerted users to this, when in fact we
>> /disable/ logging in the default firewall set, so your packets just
>> magically disappear leaving the user scratching their head as to why
>> the hell things aren't working.
>
> Yes, enabling logging of packets really helps to track down
> firewall misconfiguration.
>
> What we really lack is good visibility for n00bs. Sure you can do
> 'netstat -anp' to show open ports and (if you're more of an expert
> than me) look at iptables to see what's wrong, but having nice GUI
> tools to display this information would be better.
>
> (No, I'm not volunteering to write them ...)
>
> Rich.
>
Thats actually a really nice idea we could tackle with the firewall
stuff Thomas is working on in the future.
added_to_feature_list++ :)
Add accounting too. Assuming that the Zones are implemented as chains it
would be nice to be able to review how much traffic a Zone and/or the
services are seeing.
Regards,
Dennis
1:44 p.m.
New subject: Firewall
Richard W.M. Jones wrote:
What we really lack is good visibility for n00bs. Sure you can do
'netstat -anp' to show open ports and (if you're more of an expert
than me) look at iptables to see what's wrong, but having nice GUI
tools to display this information would be better.
Like... iptstate?
8:04 p.m.
New subject: Firewall
On Mon, 2010-12-06 at 19:05 +0000, Daniel P. Berrange wrote:
The other benefit would be if the user only intended the
service to be accessible to localhost, or a UNIX domain
socket but for some reason screwed up their service's
config & opened it to the world.
I use it as a safety net for much this reason. I am not comfortable with
100% guaranteeing that 'helpful' services we install by default like
Avahi are not doing things I really wouldn't want them to do when I
connect to some open wifi network.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net
8:07 p.m.
New subject: Firewall
On 12/06/2010 06:04 PM, Adam Williamson wrote:
On Mon, 2010-12-06 at 19:05 +0000, Daniel P. Berrange wrote:
> The other benefit would be if the user only intended the
> service to be accessible to localhost, or a UNIX domain
> socket but for some reason screwed up their service's
> config & opened it to the world.
I use it as a safety net for much this reason. I am not comfortable with
100% guaranteeing that 'helpful' services we install by default like
Avahi are not doing things I really wouldn't want them to do when I
connect to some open wifi network.
I think this is where the zones work that was talked about will come in
handy. If you connect to a new unknown network, default to firewalled
until the user "trusts" the zone. But if you trust the zone, trust it,
don't get in the way.
--
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating
8:30 p.m.
New subject: Firewall
On Mon, 2010-12-06 at 18:07 -0800, Jesse Keating wrote:
On 12/06/2010 06:04 PM, Adam Williamson wrote:
> On Mon, 2010-12-06 at 19:05 +0000, Daniel P. Berrange wrote:
>
>> The other benefit would be if the user only intended the
>> service to be accessible to localhost, or a UNIX domain
>> socket but for some reason screwed up their service's
>> config & opened it to the world.
>
> I use it as a safety net for much this reason. I am not comfortable with
> 100% guaranteeing that 'helpful' services we install by default like
> Avahi are not doing things I really wouldn't want them to do when I
> connect to some open wifi network.
I think this is where the zones work that was talked about will come in
handy. If you connect to a new unknown network, default to firewalled
until the user "trusts" the zone. But if you trust the zone, trust it,
don't get in the way.
yep, indeed. though, of course, implementation can be a pain. Windows
implements something like this, and half the vulnerability announcements
I see seem to be for things that manage to violate this model by
appearing to be from the trusted zone when they're not. (IE used to have
a similar system, which they never managed to get right, so I think
they've either removed it or they just default to every zone being
equally untrusted now).
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net
8:10 p.m.
New subject: Firewall
Once upon a time, Adam Williamson <awilliam(a)redhat.com> said:
I use it as a safety net for much this reason. I am not comfortable
with
100% guaranteeing that 'helpful' services we install by default like
Avahi are not doing things I really wouldn't want them to do when I
connect to some open wifi network.
So, you don't trust the services that are installed by default, but you
do trust the installed default firewall config?
--
Chris Adams <cmadams(a)hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
9:23 p.m.
New subject: Firewall
On Mon, Dec 6, 2010 at 19:10, Chris Adams <cmadams(a)hiwaay.net> wrote:
Once upon a time, Adam Williamson <awilliam(a)redhat.com> said:
> I use it as a safety net for much this reason. I am not comfortable with
> 100% guaranteeing that 'helpful' services we install by default like
> Avahi are not doing things I really wouldn't want them to do when I
> connect to some open wifi network.
So, you don't trust the services that are installed by default, but you
do trust the installed default firewall config?
Why yes, yes I do. There are a lot of services that are listening to
0.0.0.0:* on my system I have no idea about but when I turn off things
quit working in weird ways.
I know the default firewall allows in 22 only because I said so.
However the key thing is I can and do test that the firewall works.
[Can I attach to cups, avahi, ntp, portmap, dhcpd (because I am
running virt systems).. if I can then the firewall is broken.] I can
not test what those apps do or how safe they are.
--
Stephen J Smoogen.
"The core skill of innovators is error recovery, not failure avoidance."
Randy Nelson, President of Pixar University.
"Let us be kind, one to another, for most of us are fighting a hard
battle." -- Ian MacLaren
1:09 p.m.
New subject: Firewall
Jesse Keating píše v Po 06. 12. 2010 v 11:00 -0800:
Right, I always struggle with this. If you allow services that bind
to
a port once enabled to have the port open, then what good does it do to
have the port closed?
I really wonder what real purpose a firewall serves on these machines.
Once you get past the "ZOMG WE NEED A FIREWALL"....
I can see the following primary reasons to have a firewall:
* Enforcing a sysadmin-set (system-wide or site-wide) policy.
"No, you will not run any bittorrent client on the company's
computer".
* A "speed bump" that requires an independent action to prevent
unintentionally opening up a service.
"You have started $server, and it accepts connections from the
whole internet. Here's your chance to think about this again.
Do you want to open the port?"
* ZOMG WE NEED A FIREWALL
"I can't use this Linux thing, my bank requires me to run an
antivirus and a firewall."
Are there other reasons?
Mirek
1:14 p.m.
New subject: Firewall
On 12/06/2010 11:09 AM, Miloslav Trmač wrote:
Jesse Keating píše v Po 06. 12. 2010 v 11:00 -0800:
> Right, I always struggle with this. If you allow services that bind to
> a port once enabled to have the port open, then what good does it do to
> have the port closed?
>
> I really wonder what real purpose a firewall serves on these machines.
> Once you get past the "ZOMG WE NEED A FIREWALL"....
I can see the following primary reasons to have a firewall:
* Enforcing a sysadmin-set (system-wide or site-wide) policy.
"No, you will not run any bittorrent client on the company's
computer".
That's an excellent reason for being able to deploy a firewall. Not
really sure this is a good reason for having a firewall configured by
default on personal installs.
* A "speed bump" that requires an independent action to prevent
unintentionally opening up a service.
"You have started $server, and it accepts connections from the
whole internet. Here's your chance to think about this again.
Do you want to open the port?"
Yet we don't have that kind of UI present. So instead now we have
people trying to turn on services, having it not work, and spending time
/ energy fiddling with config files before they finally realize it was
the firewall. Then they just turn it off and grumble. At least the
other OS gives you a pop up to let some service through, although there
are problems with that too.
* ZOMG WE NEED A FIREWALL
"I can't use this Linux thing, my bank requires me to run an
antivirus and a firewall."
Fair enough, again reasons for being capable of having one, but not
convinced it's needed by default. (I realize I wasn't making a default
or not argument in my first email)
Are there other reasons?
Mirek
--
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating
1:34 p.m.
New subject: Firewall
Jesse Keating píše v Po 06. 12. 2010 v 11:14 -0800:
On 12/06/2010 11:09 AM, Miloslav Trmač wrote:
> Jesse Keating píše v Po 06. 12. 2010 v 11:00 -0800:
>> Right, I always struggle with this. If you allow services that bind to
>> a port once enabled to have the port open, then what good does it do to
>> have the port closed?
>>
>> I really wonder what real purpose a firewall serves on these machines.
>> Once you get past the "ZOMG WE NEED A FIREWALL"....
>
> I can see the following primary reasons to have a firewall:
>
> * Enforcing a sysadmin-set (system-wide or site-wide) policy.
>
> "No, you will not run any bittorrent client on the company's
> computer".
That's an excellent reason for being able to deploy a firewall. Not
really sure this is a good reason for having a firewall configured by
default on personal installs.
It's not, but we don't really have
"personal installs"; any system can
be a desktop, a server, or both at the same time.
> * A "speed bump" that requires an independent
action to prevent
> unintentionally opening up a service.
>
> "You have started $server, and it accepts connections from the
> whole internet. Here's your chance to think about this again.
> Do you want to open the port?"
Yet we don't have that kind of UI present. So instead now we have
people trying to turn on services, having it not work, and spending time
/ energy fiddling with config files before they finally realize it was
the firewall.
For "server" applications, I don't think this is a big
problem: If the
user has been able to find and edit httpd.conf, they can also learn
about the firewall.
For "desktop" users, what kind of services are we talking about?
gnome-user-share? Will a "desktop" user know about this concept, or just
send the data over e-mail or IM?
SIP? Desktop sharing? An incoming connection won't be able to come
through the ADSL modem's NAT anyway, so some kind of tunneling or an
external service broker (which turns the connection from incoming into
outgoing, enabled by default) is needed.
It may be just me, but really can't remember a single example when the
firewall has broken something for me, at least in the last 10 years.
Then they just turn it off and grumble. At least the
other OS gives you a pop up to let some service through, although there
are problems with that too.
My experience with the Windows prompts is absolutely
horrible - I
started an application and I was asked "do you want this to bypass the
firewall" - I know that if I deny the request, the application will
probably not work, but I'm never told why does the application need such
access when most other applications on the system do not. Is it
legitimate, or is the application spying on me, is this for some kind of
"remote software disable" functionality? All that the prompt does is
make me worry. (This is probably more of an indication of the low level
of trust Windows software downloaded form the internet than of the
quality of the firewall, but this shows that the firewall interface does
not match the problem space well.)
Mirek
1:38 p.m.
New subject: Firewall
On Mon, 2010-12-06 at 20:34 +0100, Miloslav Trmač wrote:
It's not, but we don't really have "personal
installs"; any system can
be a desktop, a server, or both at the same time.
Agreed - I think the case being described by Jesse, though, is the
livecd case. That's what the 'personal install' seems to be to me. In
that case the livecd kickstart can turn off the iptables, if it so
chooses. I'd recommend against it.
SIP? Desktop sharing? An incoming connection won't be able to
come
through the ADSL modem's NAT anyway, so some kind of tunneling or an
external service broker (which turns the connection from incoming into
outgoing, enabled by default) is needed.
It may be just me, but really can't remember a single example when the
firewall has broken something for me, at least in the last 10 years.
I'll add a +1 to this, too. The only client having trouble I can think
of in forever is bittorrent and that wasn't my firewall it was my
wireless router.
Having iptables on just keeps out the port probes when you're on a
public network - the way ours is configured in fedora makes it pretty
easy for most client apps.
-sv
1:48 p.m.
New subject: Firewall
On 12/06/2010 11:34 AM, Miloslav Trmač wrote:
Jesse Keating píše v Po 06. 12. 2010 v 11:14 -0800:
> On 12/06/2010 11:09 AM, Miloslav Trmač wrote:
>> Jesse Keating píše v Po 06. 12. 2010 v 11:00 -0800:
>>> Right, I always struggle with this. If you allow services that bind to
>>> a port once enabled to have the port open, then what good does it do to
>>> have the port closed?
>>>
>>> I really wonder what real purpose a firewall serves on these machines.
>>> Once you get past the "ZOMG WE NEED A FIREWALL"....
>>
>> I can see the following primary reasons to have a firewall:
>>
>> * Enforcing a sysadmin-set (system-wide or site-wide) policy.
>>
>> "No, you will not run any bittorrent client on the company's
>> computer".
>
> That's an excellent reason for being able to deploy a firewall. Not
> really sure this is a good reason for having a firewall configured by
> default on personal installs.
It's not, but we don't really have "personal installs"; any system can
be a desktop, a server, or both at the same time.
I generally think of somebody going through the graphical installer as
being a personal install. Kickstarts are different. And if the person
is a sysadmin installing a server manually via the graphical installer,
I'm sure they can turn on / configure the firewall as needed.
>> * A "speed bump" that requires an independent action to prevent
>> unintentionally opening up a service.
>>
>> "You have started $server, and it accepts connections from the
>> whole internet. Here's your chance to think about this again.
>> Do you want to open the port?"
>
> Yet we don't have that kind of UI present. So instead now we have
> people trying to turn on services, having it not work, and spending time
> / energy fiddling with config files before they finally realize it was
> the firewall.
For "server" applications, I don't think this is a big problem: If the
user has been able to find and edit httpd.conf, they can also learn
about the firewall.
For "desktop" users, what kind of services are we talking about?
gnome-user-share? Will a "desktop" user know about this concept, or just
send the data over e-mail or IM?
SIP? Desktop sharing? An incoming connection won't be able to come
through the ADSL modem's NAT anyway, so some kind of tunneling or an
external service broker (which turns the connection from incoming into
outgoing, enabled by default) is needed.
It may be just me, but really can't remember a single example when the
firewall has broken something for me, at least in the last 10 years.
Bittorrent, network games, zero conf come to mind.
> Then they just turn it off and grumble. At least the
> other OS gives you a pop up to let some service through, although there
> are problems with that too.
My experience with the Windows prompts is absolutely horrible - I
started an application and I was asked "do you want this to bypass the
firewall" - I know that if I deny the request, the application will
probably not work, but I'm never told why does the application need such
access when most other applications on the system do not. Is it
legitimate, or is the application spying on me, is this for some kind of
"remote software disable" functionality? All that the prompt does is
make me worry. (This is probably more of an indication of the low level
of trust Windows software downloaded form the internet than of the
quality of the firewall, but this shows that the firewall interface does
not match the problem space well.)
Mirek
At least Windows gives you a popup. On our side not only do we not know
why apps are trying to bind to network ports, we don't even know which
ones are trying! We seem to not trust /anything/ even though we
installed it!
--
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating
1:53 p.m.
New subject: Firewall
On Mon, 2010-12-06 at 11:48 -0800, Jesse Keating wrote:
Bittorrent, network games, zero conf come to mind.
Bittorrent won't work through many/most wireless routers unless they are
not natted and/or not explicitly configured.
what network games?
Heck, what network games do we HAVE?
what are the use cases of zeroconf-enabled apps that we're targetting?
-sv
1:55 p.m.
New subject: Firewall
seth vidal (skvidal(a)fedoraproject.org) said:
Bittorrent won't work through many/most wireless routers unless
they are
not natted and/or not explicitly configured.
what network games?
Heck, what network games do we HAVE?
what are the use cases of zeroconf-enabled apps that we're targetting?
Zeroconf and IPP browse packets are both means of making priting less
of a giant pain to set up.
Bill
1:56 p.m.
New subject: Firewall
On Mon, 2010-12-06 at 14:55 -0500, Bill Nottingham wrote:
seth vidal (skvidal(a)fedoraproject.org) said:
> Bittorrent won't work through many/most wireless routers unless they are
> not natted and/or not explicitly configured.
>
> what network games?
> Heck, what network games do we HAVE?
>
> what are the use cases of zeroconf-enabled apps that we're targetting?
Zeroconf and IPP browse packets are both means of making priting less
of a giant pain to set up.
ah, printing.
Is there anything that's not last century?
-sv
2:01 p.m.
New subject: Firewall
On Mon, Dec 06, 2010 at 02:56:19PM -0500, seth vidal wrote:
On Mon, 2010-12-06 at 14:55 -0500, Bill Nottingham wrote:
> seth vidal (skvidal(a)fedoraproject.org) said:
> > Bittorrent won't work through many/most wireless routers unless they are
> > not natted and/or not explicitly configured.
> >
> > what network games?
> > Heck, what network games do we HAVE?
> >
> > what are the use cases of zeroconf-enabled apps that we're targetting?
>
> Zeroconf and IPP browse packets are both means of making priting less
> of a giant pain to set up.
ah, printing.
Is there anything that's not last century?
Yeah, general discovery. From the top of my head:
- Pulseaudio sinks and sources
- libvirt instances for virt-manager
- VNC desktops for Vinagre
- local web pages (think SOHO router config page) for zeroconf
enabled Webbrowsers like Epiphany
- remote disk management (udisks)
- local FTP sites and WebDAV shares shown in nautilus places
And this is all blocked by default Fedora firewall settings (5353/udp).
--
Tomasz Torcz "Funeral in the morning, IDE hacking
xmpp: zdzichubg(a)chrome.pl in the afternoon and evening." - Alan Cox
2:06 p.m.
New subject: Firewall
On Mon, 2010-12-06 at 21:01 +0100, Tomasz Torcz wrote:
On Mon, Dec 06, 2010 at 02:56:19PM -0500, seth vidal wrote:
> On Mon, 2010-12-06 at 14:55 -0500, Bill Nottingham wrote:
> > seth vidal (skvidal(a)fedoraproject.org) said:
> > > Bittorrent won't work through many/most wireless routers unless they
are
> > > not natted and/or not explicitly configured.
> > >
> > > what network games?
> > > Heck, what network games do we HAVE?
> > >
> > > what are the use cases of zeroconf-enabled apps that we're
targetting?
> >
> > Zeroconf and IPP browse packets are both means of making priting less
> > of a giant pain to set up.
>
> ah, printing.
>
> Is there anything that's not last century?
Yeah, general discovery. From the top of my head:
- Pulseaudio sinks and sources
- libvirt instances for virt-manager
- VNC desktops for Vinagre
- local web pages (think SOHO router config page) for zeroconf
enabled Webbrowsers like Epiphany
- remote disk management (udisks)
- local FTP sites and WebDAV shares shown in nautilus places
And this is all blocked by default Fedora firewall settings (5353/udp).
I'm confused - are any of the above intended to be used/available by
anyone who is NOT experienced enough to know what iptables are and how
to manage them? B/c I think it's a bit unlikely.
-sv
2:23 p.m.
New subject: Firewall
On 06/12/10 21:06, seth vidal wrote:
On Mon, 2010-12-06 at 21:01 +0100, Tomasz Torcz wrote:
> On Mon, Dec 06, 2010 at 02:56:19PM -0500, seth vidal wrote:
>> On Mon, 2010-12-06 at 14:55 -0500, Bill Nottingham wrote:
>>> seth vidal (skvidal(a)fedoraproject.org) said:
>>>> Bittorrent won't work through many/most wireless routers unless they
are
>>>> not natted and/or not explicitly configured.
>>>>
>>>> what network games?
>>>> Heck, what network games do we HAVE?
>>>>
>>>> what are the use cases of zeroconf-enabled apps that we're
targetting?
>>>
>>> Zeroconf and IPP browse packets are both means of making priting less
>>> of a giant pain to set up.
>>
>> ah, printing.
>>
>> Is there anything that's not last century?
>
>
> Yeah, general discovery. From the top of my head:
> - Pulseaudio sinks and sources
> - libvirt instances for virt-manager
> - VNC desktops for Vinagre
> - local web pages (think SOHO router config page) for zeroconf
> enabled Webbrowsers like Epiphany
> - remote disk management (udisks)
> - local FTP sites and WebDAV shares shown in nautilus places
>
> And this is all blocked by default Fedora firewall settings (5353/udp).
>
I'm confused - are any of the above intended to be used/available by
anyone who is NOT experienced enough to know what iptables are and how
to manage them? B/c I think it's a bit unlikely.
-sv
+10
3:52 p.m.
New subject: Firewall
On Mon, Dec 06, 2010 at 03:06:24PM -0500, seth vidal wrote:
On Mon, 2010-12-06 at 21:01 +0100, Tomasz Torcz wrote:
> On Mon, Dec 06, 2010 at 02:56:19PM -0500, seth vidal wrote:
> > On Mon, 2010-12-06 at 14:55 -0500, Bill Nottingham wrote:
> > > seth vidal (skvidal(a)fedoraproject.org) said:
> > > > Bittorrent won't work through many/most wireless routers unless
they are
> > > > not natted and/or not explicitly configured.
> > > >
> > > > what network games?
> > > > Heck, what network games do we HAVE?
> > > >
> > > > what are the use cases of zeroconf-enabled apps that we're
targetting?
> > >
> > > Zeroconf and IPP browse packets are both means of making priting less
> > > of a giant pain to set up.
> >
> > ah, printing.
> >
> > Is there anything that's not last century?
>
>
> Yeah, general discovery. From the top of my head:
> - Pulseaudio sinks and sources
> - libvirt instances for virt-manager
> - VNC desktops for Vinagre
> - local web pages (think SOHO router config page) for zeroconf
> enabled Webbrowsers like Epiphany
> - remote disk management (udisks)
> - local FTP sites and WebDAV shares shown in nautilus places
>
> And this is all blocked by default Fedora firewall settings (5353/udp).
>
I'm confused - are any of the above intended to be used/available by
anyone who is NOT experienced enough to know what iptables are and how
to manage them? B/c I think it's a bit unlikely.
Our tooling around avahi sucks (even the command line tools), but the
idea itself is quite wonderful.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v
4:34 p.m.
New subject: Firewall
Dne 6.12.2010 21:06, seth vidal napsal(a):
I'm confused - are any of the above intended to be used/available
by
anyone who is NOT experienced enough to know what iptables are and how
to manage them? B/c I think it's a bit unlikely.
OK, so let's add (just what gets packaged in Fedora):
* Empathy/Pidgin/gajim ... XMPP over Zeroconf for LAN
* Gobby ... for connecting with collaborators over LAN (not sure
whether AbiWord and gedit-collaboration with similar functionality are
using Zeroconf or just plain XMPP over central server)
* Pulseaudio sinks and servers ... most artists are poor in network
administration
* DAAP servers (there is rhythmbox and mt-daapd already packaged, and I
plan to package forked-daapd) for sharing music over local network
* seahorse (sharing web-of-trust over local network)
* totem ... streaming for local network
Should I continue? Really, Seth, Bonjour was created by Apple as means
to make networking easy for normal people
(http://www.youtube.com/watch?v=kgMVjEJiHDM), so it should really work
for normal people without fiddling with firewall.
I have to admit, I am not completely happy with having no firewall per
default, but we should really do something about Zeroconf to really make
it work for normal people as much as bread toaster works for them.
Best,
Matěj
4:47 p.m.
New subject: Firewall
2010/12/6 Matej Cepl <mcepl(a)redhat.com>:
Dne 6.12.2010 21:06, seth vidal napsal(a):
[..]
I have to admit, I am not completely happy with having no firewall
per
default,
It looks like you do not have to worry about removing iptables from @core :)
I think that further discussion on removal it from core is pointless,
so we have to start thinking how to convert ip*tables to systemd
services. I afraid it will end on something like that
ExecStart=/etc/init.d/iptables start
ExecStop=/etc/init.d/iptables stop
but we should really do something about Zeroconf to really make
it work for normal people as much as bread toaster works for them.
Best,
Matěj
--
devel mailing list
devel(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
--
Best regards,
Michal
Sent from my iToaster
4:54 p.m.
New subject: Firewall
On Mon, 2010-12-06 at 15:06 -0500, seth vidal wrote:
On Mon, 2010-12-06 at 21:01 +0100, Tomasz Torcz wrote:
> Yeah, general discovery. From the top of my head:
> - Pulseaudio sinks and sources
> - libvirt instances for virt-manager
> - VNC desktops for Vinagre
> - local web pages (think SOHO router config page) for zeroconf
> enabled Webbrowsers like Epiphany
> - remote disk management (udisks)
> - local FTP sites and WebDAV shares shown in nautilus places
>
> And this is all blocked by default Fedora firewall settings (5353/udp).
I'm confused - are any of the above intended to be used/available by
anyone who is NOT experienced enough to know what iptables are and how
to manage them? B/c I think it's a bit unlikely.
Yes, in fact. This is how ad-hoc service discovery works on every other
OS and with a stunning number of consumer devices. Interop with that is
an entirely reasonable thing to expect.
I've been using linux for, what, fourteen years now? I've migrated
firewall configs from ipfwadm through ipchains through iptables. I've
done network administration for a day job. I know what a firewall is,
and if you force me to I can remember how to manage one long enough to
make file sharing work.
And every time I do, I think "there's no reason it needs to be this
hard". All I want to do is make movies on my hard drive visible to my
PS3. Why is this harder than clicking "share"? All I want to do is
plug the NAS drive I just bought from Best Buy into the ethernet cable
and put files on it. Why do I have to play mother-may-I with the
firewall config tool before I can see that it's offering a UPNP service?
- ajax
5:04 p.m.
New subject: Firewall
On Mon, 2010-12-06 at 17:54 -0500, Adam Jackson wrote:
And every time I do, I think "there's no reason it needs to
be this
hard". All I want to do is make movies on my hard drive visible to my
PS3. Why is this harder than clicking "share"? All I want to do is
plug the NAS drive I just bought from Best Buy into the ethernet cable
and put files on it. Why do I have to play mother-may-I with the
firewall config tool before I can see that it's offering a UPNP service?
No reason - but why do I have to have the default on my OVERWHELMINGLY
LARGE NUMBER OF SERVER INSTALLS be less secure b/c you want to do
something like the above?
I shouldn't.
If you want to do that on the livecd - have at it.
if you want to make it the default system-wide then we have a problem.
-sv
5:10 p.m.
New subject: Firewall
On 12/06/2010 04:04 PM, seth vidal wrote:
On Mon, 2010-12-06 at 17:54 -0500, Adam Jackson wrote:
> And every time I do, I think "there's no reason it needs to be this
> hard". All I want to do is make movies on my hard drive visible to my
> PS3. Why is this harder than clicking "share"? All I want to do is
> plug the NAS drive I just bought from Best Buy into the ethernet cable
> and put files on it. Why do I have to play mother-may-I with the
> firewall config tool before I can see that it's offering a UPNP service?
No reason - but why do I have to have the default on my OVERWHELMINGLY
LARGE NUMBER OF SERVER INSTALLS be less secure b/c you want to do
something like the above?
I shouldn't.
If you want to do that on the livecd - have at it.
if you want to make it the default system-wide then we have a problem.
-sv
But once we're talking about OVERWHELMINGLY LARGE NUMBER OF SERVER INSTALLS,
aren't we also talking about kickstart and other automated management tools
with which configuring things away from their default values is a standard and
fairly straightforward thing to do?
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA/CoRA Division FAX: 303-415-9702
3380 Mitchell Lane orion(a)cora.nwra.com
Boulder, CO 80301 http://www.cora.nwra.com
5:40 p.m.
New subject: Firewall
On Mon, 2010-12-06 at 16:10 -0700, Orion Poplawski wrote:
But once we're talking about OVERWHELMINGLY LARGE NUMBER OF
SERVER INSTALLS,
aren't we also talking about kickstart and other automated management tools
with which configuring things away from their default values is a standard and
fairly straightforward thing to do?
I am mostly concerned with surprising folks who have expected it to be
on.
But you know -what - you have a fair point.
if we make this change, as long as we make it a feature and publicize
the heck out of it, I'm fine w/that.
-sv
9:50 p.m.
New subject: Firewall
On 12/06/2010 06:40 PM, seth vidal wrote:
On Mon, 2010-12-06 at 16:10 -0700, Orion Poplawski wrote:
> But once we're talking about OVERWHELMINGLY LARGE NUMBER OF SERVER INSTALLS,
> aren't we also talking about kickstart and other automated management tools
> with which configuring things away from their default values is a standard and
> fairly straightforward thing to do?
I am mostly concerned with surprising folks who have expected it to be
on.
But you know -what - you have a fair point.
if we make this change, as long as we make it a feature and publicize
the heck out of it, I'm fine w/that.
* My firewalls have a lot of rules - huge number really - they are
hand crafted and scripted directly into iptables-restore format so they
load extremely fast.
* We are perfectly happy doing this and it is tested and robust.
* On my laptop I could be convinced to use a more 'dynamic' tool ..
provided it did not reduce security (by some appropriate measure).
* As long as it continues to be easy to continue to use standard
static iptables I'd be fine with the additions. Static should be the
default on any 'server' like install as sv suggested -
* This reminds me to ask .. is ipset available on f14 yet? That is
something that could be very useful for us .... it is not in f13 and
would be a lovely addition to f14 .. :-)
* Will fedora bring app-armor (and GUI's tools perhaps) as an selinux
partner for f15 now that its accepted in upstream kernel too ?
gene/
7:46 a.m.
New subject: Firewall
On 12/07/2010 02:41 AM, Matej Cepl wrote:
Dne 7.12.2010 04:50, Genes MailLists napsal(a):
> * Will fedora bring app-armor (and GUI's tools perhaps) as an selinux
> partner for f15 now that its accepted in upstream kernel too ?
Gosh, I hope not, but I have my doubts.
Matěj
Oh why ? Don't you believe that combining the amazing power of selinux
with the path oriented app-armor would create stronger firewalling?
Linus thinks so ... so do I.
I'm saying both together here ... selinux is great.
8:23 p.m.
New subject: Firewall
On Mon, 2010-12-06 at 18:04 -0500, seth vidal wrote:
On Mon, 2010-12-06 at 17:54 -0500, Adam Jackson wrote:
> And every time I do, I think "there's no reason it needs to be this
> hard". All I want to do is make movies on my hard drive visible to my
> PS3. Why is this harder than clicking "share"? All I want to do is
> plug the NAS drive I just bought from Best Buy into the ethernet cable
> and put files on it. Why do I have to play mother-may-I with the
> firewall config tool before I can see that it's offering a UPNP service?
No reason - but why do I have to have the default on my OVERWHELMINGLY
LARGE NUMBER OF SERVER INSTALLS be less secure b/c you want to do
something like the above?
I shouldn't.
If you want to do that on the livecd - have at it.
if you want to make it the default system-wide then we have a problem.
That's not the question you asked. You asked what the use cases of Avahi
are, and people told you. You can't ask a question, get a bunch of very
good answers to it, and then say 'but those answers don't address this
different concern which is completely unrelated to my question!'
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net
8:31 p.m.
New subject: Firewall
On Mon, 2010-12-06 at 18:23 -0800, Adam Williamson wrote:
On Mon, 2010-12-06 at 18:04 -0500, seth vidal wrote:
> On Mon, 2010-12-06 at 17:54 -0500, Adam Jackson wrote:
>
> > And every time I do, I think "there's no reason it needs to be this
> > hard". All I want to do is make movies on my hard drive visible to my
> > PS3. Why is this harder than clicking "share"? All I want to do is
> > plug the NAS drive I just bought from Best Buy into the ethernet cable
> > and put files on it. Why do I have to play mother-may-I with the
> > firewall config tool before I can see that it's offering a UPNP service?
>
> No reason - but why do I have to have the default on my OVERWHELMINGLY
> LARGE NUMBER OF SERVER INSTALLS be less secure b/c you want to do
> something like the above?
>
> I shouldn't.
>
> If you want to do that on the livecd - have at it.
>
> if you want to make it the default system-wide then we have a problem.
That's not the question you asked. You asked what the use cases of Avahi
are, and people told you. You can't ask a question, get a bunch of very
good answers to it, and then say 'but those answers don't address this
different concern which is completely unrelated to my question!'
sure I can.
-sv
8:37 p.m.
New subject: Firewall
On Mon, 2010-12-06 at 21:31 -0500, seth vidal wrote:
> That's not the question you asked. You asked what the use
cases of Avahi
> are, and people told you. You can't ask a question, get a bunch of very
> good answers to it, and then say 'but those answers don't address this
> different concern which is completely unrelated to my question!'
sure I can.
rephrase: you can, but I get to call shenanigans. :P
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net
8:20 p.m.
New subject: Firewall
On Mon, 2010-12-06 at 15:06 -0500, seth vidal wrote:
> Yeah, general discovery. From the top of my head:
> - Pulseaudio sinks and sources
> - libvirt instances for virt-manager
> - VNC desktops for Vinagre
> - local web pages (think SOHO router config page) for zeroconf
> enabled Webbrowsers like Epiphany
> - remote disk management (udisks)
> - local FTP sites and WebDAV shares shown in nautilus places
>
> And this is all blocked by default Fedora firewall settings (5353/udp).
>
I'm confused - are any of the above intended to be used/available by
anyone who is NOT experienced enough to know what iptables are and how
to manage them? B/c I think it's a bit unlikely.
Why not?
PulseAudio lets you play audio from any system on any other system. You
don't need to be some kind of nerd to want to do that.
Lots of people need to get to their wireless router config page. In
fact, *everyone* should, if only to change the password.
And there's nothing unusual about browsing the local network, which
avahi enables without the need to set up NFS or Samba shares.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net
2:25 p.m.
New subject: Firewall
Tomasz Torcz píše v Po 06. 12. 2010 v 21:01 +0100:
Yeah, general discovery. From the top of my head:
- Pulseaudio sinks and sources
- libvirt instances for virt-manager
- VNC desktops for Vinagre
- local web pages (think SOHO router config page) for zeroconf
enabled Webbrowsers like Epiphany
- remote disk management (udisks)
- local FTP sites and WebDAV shares shown in nautilus places
And this is all blocked by default Fedora firewall settings (5353/udp).
These
really sound like something that "should" be caught by the default
"enable related packets" rule - if the kernel sees an outgoing mDNS
request, it temporarily enables replies to the same port. If the kernel
doesn't do this already, teaching this to the kernel soulds like the
cleanest solution.
Mirek
1:59 p.m.
New subject: Firewall
On Mon, Dec 06, 2010 at 09:01:26PM +0100, Tomasz Torcz wrote:
Yeah, general discovery. From the top of my head:
- Pulseaudio sinks and sources
- libvirt instances for virt-manager
- VNC desktops for Vinagre
- local web pages (think SOHO router config page) for zeroconf
enabled Webbrowsers like Epiphany
- remote disk management (udisks)
- local FTP sites and WebDAV shares shown in nautilus places
I guess most of these pages require authentication, so what use is it to
know that they exist if one does not know the credentials for them? And
if people know the credentials, why don't they know where to enter them?
Regards
Till
10:10 a.m.
New subject: Firewall
On Mon, 2010-12-06 at 14:56 -0500, seth vidal wrote:
ah, printing.
Is there anything that's not last century?
So you are trying to defend the last-century firewall technology by
calling everything that wants to share data last century ?
That seems not the most constructive attitude...
10:12 a.m.
New subject: Firewall
On Tue, 2010-12-07 at 11:10 -0500, Matthias Clasen wrote:
On Mon, 2010-12-06 at 14:56 -0500, seth vidal wrote:
>
> ah, printing.
>
> Is there anything that's not last century?
>
So you are trying to defend the last-century firewall technology by
calling everything that wants to share data last century ?
That seems not the most constructive attitude...
dude, read to the end of the thread. I walked away - I conceded the
point about disabling the firewall.
-sv
10:22 a.m.
New subject: Firewall
On Tue, 2010-12-07 at 11:12 -0500, seth vidal wrote:
dude, read to the end of the thread. I walked away - I conceded the
point about disabling the firewall.
Sorry, sent too early (and twice, to add insult to injury....).
Anyway, to put a more positive note on this, I'm looking forward to
Tomas work, and the NetworkManager integration for it.
10:19 a.m.
New subject: Firewall
On Mon, 2010-12-06 at 14:56 -0500, seth vidal wrote:
ah, printing.
Is there anything that's not last century?
So you are trying to defend the last-century firewall technology by
calling everything that wants to share data last century ?
That seems not the most constructive attitude...
5:43 p.m.
New subject: Firewall
seth vidal wrote:
ah, printing.
Is there anything that's not last century?
Uh, you'd be surprised how much many users out there in the real world still
print!
Sure, I don't use my printer much anymore, and there might even be people
not printing anything at all anymore, you might be one of those, but do not
generalize your usage pattern to the whole world!
Kevin Kofler
5:53 p.m.
New subject: Firewall
2010/12/10 Kevin Kofler <kevin.kofler(a)chello.at>:
seth vidal wrote:
> ah, printing.
>
> Is there anything that's not last century?
Uh, you'd be surprised how much many users out there in the real world still
print!
In these days I've been printing 20000+ pages, all of them different,
and I do it in a network of several Fedora workstations and printers.
People who use Fedora for $work will want network printing support of
the highest quality as possible.
k.r.
Domingo Becker
5:28 p.m.
New subject: Firewall
On Mon, 2010-12-06 at 14:56 -0500, seth vidal wrote:
ah, printing.
Is there anything that's not last century?
So you are trying to defend the last-century firewall technology by
calling everything that wants to share data last century ?
That seems not the most constructive attitude...
5:29 p.m.
New subject: Firewall
On Tue, 2010-12-07 at 11:19 -0500, Matthias Clasen wrote:
On Mon, 2010-12-06 at 14:56 -0500, seth vidal wrote:
>
> ah, printing.
>
> Is there anything that's not last century?
>
So you are trying to defend the last-century firewall technology by
calling everything that wants to share data last century ?
That seems not the most constructive attitude...
*TWEEEEEEEEEEET*
Flag on the play
5 yard penalty!
late hit!
-sv
6:02 p.m.
New subject: Firewall
On Thu, 2011-01-06 at 18:29 -0500, seth vidal wrote:
On Tue, 2010-12-07 at 11:19 -0500, Matthias Clasen wrote:
> On Mon, 2010-12-06 at 14:56 -0500, seth vidal wrote:
>
> >
> > ah, printing.
> >
> > Is there anything that's not last century?
> >
>
> So you are trying to defend the last-century firewall technology by
> calling everything that wants to share data last century ?
>
> That seems not the most constructive attitude...
>
*TWEEEEEEEEEEET*
Flag on the play
5 yard penalty!
late hit!
I blame evo.
6:02 p.m.
New subject: Firewall
On Thu, 2011-01-06 at 18:29 -0500, seth vidal wrote:
On Tue, 2010-12-07 at 11:19 -0500, Matthias Clasen wrote:
> On Mon, 2010-12-06 at 14:56 -0500, seth vidal wrote:
>
> >
> > ah, printing.
> >
> > Is there anything that's not last century?
> >
>
> So you are trying to defend the last-century firewall technology by
> calling everything that wants to share data last century ?
>
> That seems not the most constructive attitude...
>
*TWEEEEEEEEEEET*
Flag on the play
5 yard penalty!
late hit!
I blame evo.
4:18 p.m.
New subject: Firewall
Dne 6.12.2010 20:53, seth vidal napsal(a):
what are the use cases of zeroconf-enabled apps that we're
targetting?
* XMPP-over-Zeroconf (Bonjour)
* gtkvnc searches for VNC servers
* ekiga looks for other clients on LAN
* you can go to local ssh servers in .local domain
* etc. etc. ... partial list is on
http://avahi.org/wiki/Avah4users#SoftwareMakinguseofAvahi
Matěj
5:21 p.m.
New subject: Firewall
On 12/06/2010 11:53 AM, seth vidal wrote:
On Mon, 2010-12-06 at 11:48 -0800, Jesse Keating wrote:
> Bittorrent, network games, zero conf come to mind.
>
Bittorrent won't work through many/most wireless routers unless they are
not natted and/or not explicitly configured.
Actually bittorrents that have upnp work. Routers I've seen come
pre-configured to allow upnp, so an app on a computer, or a game
console, sends out a upnp request to open up/forward a port and the
router complies.
--
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating
1:44 a.m.
New subject: Firewall
Dne 7.12.2010 00:21, Jesse Keating napsal(a):
Actually bittorrents that have upnp work. Routers I've seen
come
pre-configured to allow upnp, so an app on a computer, or a game
console, sends out a upnp request to open up/forward a port and the
router complies.
And I really hope this will never work on any computer I admin ... there
is apparently now small cottage industry of Windows viruses switching
off firewall via UPNP.
Matěj
10:01 a.m.
New subject: Firewall
On Tue, Dec 07, 2010 at 08:44:02AM +0100, Matej Cepl wrote:
Dne 7.12.2010 00:21, Jesse Keating napsal(a):
> Actually bittorrents that have upnp work. Routers I've seen come
> pre-configured to allow upnp, so an app on a computer, or a game
> console, sends out a upnp request to open up/forward a port and the
> router complies.
And I really hope this will never work on any computer I admin ... there
is apparently now small cottage industry of Windows viruses switching
off firewall via UPNP.
Not to mention that UPnP is a scary hack:
http://www.upnp-hacks.org/upnp.html
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://et.redhat.com/~rjones/libguestfs/
See what it can do: http://et.redhat.com/~rjones/libguestfs/recipes.html
8:15 p.m.
New subject: Firewall
On Mon, 2010-12-06 at 14:53 -0500, seth vidal wrote:
what are the use cases of zeroconf-enabled apps that we're
targetting?
GNOME uses avahi to find other linux systems on the local network it can
browse via scp.
(well, it's supposed to. this hasn't worked for me for a while, though
it seems to work in Mandriva.)
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net
1:20 p.m.
New subject: Firewall
On Mon, Dec 06, 2010 at 08:09:29PM +0100, Miloslav Trmač wrote:
I can see the following primary reasons to have a firewall:
* Enforcing a sysadmin-set (system-wide or site-wide) policy.
"No, you will not run any bittorrent client on the company's
computer".
* A "speed bump" that requires an independent action to prevent
unintentionally opening up a service.
"You have started $server, and it accepts connections from the
whole internet. Here's your chance to think about this again.
Do you want to open the port?"
The question implies some sort of GUI pop-up. More likely is the incidental
installation of something. Does Gnome still pull in Apache for peer-to-peer
filesharing? Or some other package misconfigured to listen when it
shouldn't. Installing a firewall by default contributes to defense in depth
at relatively little cost.
* ZOMG WE NEED A FIREWALL
"I can't use this Linux thing, my bank requires me to run an
antivirus and a firewall."
And don't underestimate that need -- more places than banks have similar
requirements.
Are there other reasons?
Programs like fail2ban use the packet filter to block aggressive brute-force
attempts. But I don't think any of them require an existing configuration of
some sort -- they just do their own thing on top of whatever is there.
--
Matthew Miller <mattdm(a)mattdm.org>
Senior Systems Architect -- Instructional & Research Computing Services
Harvard School of Engineering & Applied Sciences
1:25 p.m.
New subject: Firewall
On 12/06/2010 11:20 AM, Matthew Miller wrote:
Installing a firewall by default contributes to defense in depth
at relatively little cost.
I think that's discounting the user cost, of having something actively
getting in your way of accomplishing tasks, and we have no real good way
of helping the user get it out of their way.
The argument of default firewall or not would probably quiet down quite
a bit if we had any sort of decent UI to help users get the firewall out
of their way when they're really trying to do something.
--
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating
1:31 p.m.
New subject: Firewall
2010/12/6 Jesse Keating <jkeating(a)redhat.com>:
On 12/06/2010 11:20 AM, Matthew Miller wrote:
> Installing a firewall by default contributes to defense in depth
> at relatively little cost.
>
I think that's discounting the user cost, of having something actively
getting in your way of accomplishing tasks, and we have no real good way
of helping the user get it out of their way.
The argument of default firewall or not would probably quiet down quite
a bit if we had any sort of decent UI to help users get the firewall out
of their way when they're really trying to do something.
I tried several times to use system-config-firewall-tui - usability
disaster. I prefer to edit sysconfig/iptables ;)
--
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating
--
devel mailing list
devel(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
--
Best regards,
Michal
Sent from my iToaster
2:18 p.m.
New subject: Firewall
Jesse Keating <jkeating(a)redhat.com> writes:
The argument of default firewall or not would probably quiet down
quite
a bit if we had any sort of decent UI to help users get the firewall out
of their way when they're really trying to do something.
+1. In today's environment, not having a firewall by default is an
incredibly stupid idea. What we need to do is fix the UI problems,
not bypass them by dramatically reducing security.
regards, tom lane
5:25 p.m.
New subject: Firewall
On 12/06/2010 12:18 PM, Tom Lane wrote:
Jesse Keating <jkeating(a)redhat.com> writes:
> The argument of default firewall or not would probably quiet down quite
> a bit if we had any sort of decent UI to help users get the firewall out
> of their way when they're really trying to do something.
+1. In today's environment, not having a firewall by default is an
incredibly stupid idea. What we need to do is fix the UI problems,
not bypass them by dramatically reducing security.
regards, tom lane
I keep seeing claims of "incredibly stupid", and at the same time saying
we need to make it easier to open up ports when they need them. What is
the default firewall protecting me from, if I'm allowed and hand held
through opening up ports on demand?
--
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating
5:42 p.m.
New subject: Firewall
On Mon, Dec 6, 2010 at 16:25, Jesse Keating <jkeating(a)redhat.com> wrote:
On 12/06/2010 12:18 PM, Tom Lane wrote:
> Jesse Keating <jkeating(a)redhat.com> writes:
>> The argument of default firewall or not would probably quiet down quite
>> a bit if we had any sort of decent UI to help users get the firewall out
>> of their way when they're really trying to do something.
>
> +1. In today's environment, not having a firewall by default is an
> incredibly stupid idea. What we need to do is fix the UI problems,
> not bypass them by dramatically reducing security.
>
> regards, tom lane
I keep seeing claims of "incredibly stupid", and at the same time saying
we need to make it easier to open up ports when they need them. What is
the default firewall protecting me from, if I'm allowed and hand held
through opening up ports on demand?
Ports that you don't know are open to the network but are somehow available.
Let us put this conversation slightly different... how many of us
remember password-less package install? It all sounded like a good
idea with people who are going to be on the system already being able
to do what they want so why ask for a password. However how did it get
seen in the end? Fedora comes RootKit enabled and other fluff.
I am trying to think how this one will play out:
"Ten years ago, Linux distros were cutting edge by coming with a
firewall enabled. Now Fedora is going to cut the edge in a new way...
no firewall wanted."
Yes there are a lot of good ideas and reasons.. I think that first
though a tool to deal with firewalls and THEN we can talk about what
firewalls need to be removed.
[And no I am not trying for 2 weeks of LWN quotes as tempting it will
be. (alright alright I am .. it is just so addicting)]
--
Stephen J Smoogen.
"The core skill of innovators is error recovery, not failure avoidance."
Randy Nelson, President of Pixar University.
"Let us be kind, one to another, for most of us are fighting a hard
battle." -- Ian MacLaren
5:54 p.m.
New subject: Firewall
On 12/06/2010 03:42 PM, Stephen John Smoogen wrote:
Ports that you don't know are open to the network but are somehow
available.
Let us put this conversation slightly different... how many of us
remember password-less package install? It all sounded like a good
idea with people who are going to be on the system already being able
to do what they want so why ask for a password. However how did it get
seen in the end? Fedora comes RootKit enabled and other fluff.
I am trying to think how this one will play out:
"Ten years ago, Linux distros were cutting edge by coming with a
firewall enabled. Now Fedora is going to cut the edge in a new way...
no firewall wanted."
Yes there are a lot of good ideas and reasons.. I think that first
though a tool to deal with firewalls and THEN we can talk about what
firewalls need to be removed.
[And no I am not trying for 2 weeks of LWN quotes as tempting it will
be. (alright alright I am .. it is just so addicting)]
Clearly we just need to word it differently. Linux has a firewall built
in, that nothing will come in until you bind to a port. We're just
removing the redundant extra firewall by default :)
(I'm not actually serious)
(I also don't really care if we have a firewall by default vs not, so
long as we're very clear in what the benefits are one way or another
(more than just ZOMG NEED FIREWALL), and we make it easy for expected
things to work and unexpected things to not work)
--
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating
10:03 a.m.
New subject: Firewall
On Mon, Dec 06, 2010 at 03:25:30PM -0800, Jesse Keating wrote:
On 12/06/2010 12:18 PM, Tom Lane wrote:
> Jesse Keating <jkeating(a)redhat.com> writes:
>> The argument of default firewall or not would probably quiet down quite
>> a bit if we had any sort of decent UI to help users get the firewall out
>> of their way when they're really trying to do something.
>
> +1. In today's environment, not having a firewall by default is an
> incredibly stupid idea. What we need to do is fix the UI problems,
> not bypass them by dramatically reducing security.
>
> regards, tom lane
I keep seeing claims of "incredibly stupid", and at the same time saying
we need to make it easier to open up ports when they need them. What is
the default firewall protecting me from, if I'm allowed and hand held
through opening up ports on demand?
There's also more to life than TCP ports. UDP ports, ICMP, other
protocols, other unrecognized protocols, packets containing completely
random stuff ... Having a firewall that lets through every TCP port
does still give you protection from this other stuff.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
New in Fedora 11: Fedora Windows cross-compiler. Compile Windows
programs, test, and build Windows installers. Over 70 libraries supprt'd
http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw
10:24 a.m.
New subject: Firewall
On 12/07/2010 08:03 AM, Richard W.M. Jones wrote:
There's also more to life than TCP ports. UDP ports, ICMP,
other
protocols, other unrecognized protocols, packets containing completely
random stuff ... Having a firewall that lets through every TCP port
does still give you protection from this other stuff.
This is starting to sound like more reasonable arguments than "ZOMG
FIREWALL". Thank you. We should be sure to document these things in a
page that explains why Fedora has a Firewall by default, and why the
default configuration has been chosen.
--
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating
12:57 p.m.
New subject: Firewall
On Tue, Dec 7, 2010 at 09:24, Jesse Keating <jkeating(a)redhat.com> wrote:
On 12/07/2010 08:03 AM, Richard W.M. Jones wrote:
> There's also more to life than TCP ports. UDP ports, ICMP, other
> protocols, other unrecognized protocols, packets containing completely
> random stuff ... Having a firewall that lets through every TCP port
> does still give you protection from this other stuff.
This is starting to sound like more reasonable arguments than "ZOMG
FIREWALL". Thank you. We should be sure to document these things in a
page that explains why Fedora has a Firewall by default, and why the
default configuration has been chosen.
My memory of it goes something like this (notting can clarify)
Tech Support A: We are having a lot of issues with broken in systems
from network services
Developer A: Well they need to turn them off then.
Developer B: Well that would turn off <fill in something important>
Developer C: Well we do have a firewall
Developer A: Firewalls are hard.. do you know how hard it would be to
come up with something that doesn't break everyone.
Developer B: Hmmm we will need a gui and a backstore and ...
Alan Cox: Oh I wrote this lokkit so Telsa could setup a firewall after
her box got dodgy at a conference. The tech support guys can give it
out to people to test.
Or something like that. I do remember a lot of over-engineering and
then a very simple it does this from Alan. And I remember a lot of
issues we were having with customers going away after having them run
it.
The main things that will need to be done is
a) make sure most services aren't listening to UDP, SNP, etc to the
outside world
b) make sure that you can trust the services that do listen.
c) expect a lot of blowback from outside of Fedora after release.
--
Stephen J Smoogen.
"The core skill of innovators is error recovery, not failure avoidance."
Randy Nelson, President of Pixar University.
"Let us be kind, one to another, for most of us are fighting a hard
battle." -- Ian MacLaren
1:16 p.m.
New subject: Firewall
Dne 7.12.2010 19:57, Stephen John Smoogen napsal(a):
Or something like that. I do remember a lot of over-engineering and
then a very simple it does this from Alan. And I remember a lot of
issues we were having with customers going away after having them run
it.
There is something weird about firewalls ... whenever anybody starts to
write about them, the result is super-over-complicated unreadable junk.
After fighting with firewalls for years, and while I thought that they
are something scary, I was enlightened in RHCE training, and since then
I have this script (http://mcepl.fedorapeople.org/tmp/iptables-script
... the current revision) and it works for me well. Sure, ability to
write trivial bash scripts is required, but I don't thing nothing over
the ability of most people using RHEL. Weird. And yes, this is very much
workstation-style laptop, and this serves me well whenever I came with it.
Matěj
3:30 p.m.
New subject: Firewall
On Tue, Dec 07, 2010 at 08:16:11PM +0100, Matej Cepl wrote:
Dne 7.12.2010 19:57, Stephen John Smoogen napsal(a):
> Or something like that. I do remember a lot of over-engineering and
> then a very simple it does this from Alan. And I remember a lot of
> issues we were having with customers going away after having them run
> it.
There is something weird about firewalls ... whenever anybody starts to
write about them, the result is super-over-complicated unreadable junk.
After fighting with firewalls for years, and while I thought that they
are something scary, I was enlightened in RHCE training, and since then
I have this script (http://mcepl.fedorapeople.org/tmp/iptables-script
... the current revision) and it works for me well. Sure, ability to
write trivial bash scripts is required, but I don't thing nothing over
the ability of most people using RHEL. Weird. And yes, this is very much
workstation-style laptop, and this serves me well whenever I came with it.
I'm sure that script works fine for you, but ...
The issue we face with libvirt is it needs to be able to add extra
rules to the existing firewall, and have those rules added in the
right place, and preserved across firewall restarts, reboots and so
on. There are other services which need to add rules too (see cups
mentioned previously in this thread).
Unfortunately a shell script, or lokkit, has not been able to handle
this gracefully. The question is what should replace it (I am
favouring /etc/iptables.d/ but as you can see other people disagree
with me).
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v
8:53 p.m.
New subject: Firewall
Dne 7.12.2010 22:30, Richard W.M. Jones napsal(a):
The issue we face with libvirt is it needs to be able to add extra
rules to the existing firewall, and have those rules added in the
right place, and preserved across firewall restarts, reboots and so
on. There are other services which need to add rules too (see cups
mentioned previously in this thread).
a) libvirt somehow manages to work just fine on my computer even with my
script, so why to change it?
b) I have still https://www.grc.com/unpnp/unpnp.htm on my mind. Aren't
we going in the same direction, so that we will need stuff like this?
Best,
Matěj
3:37 a.m.
New subject: Firewall
On Wed, Dec 08, 2010 at 03:53:34AM +0100, Matej Cepl wrote:
Dne 7.12.2010 22:30, Richard W.M. Jones napsal(a):
> The issue we face with libvirt is it needs to be able to add extra
> rules to the existing firewall, and have those rules added in the
> right place, and preserved across firewall restarts, reboots and so
> on. There are other services which need to add rules too (see cups
> mentioned previously in this thread).
a) libvirt somehow manages to work just fine on my computer even with my
script, so why to change it?
libvirtd (the daemon) does currently add firewall rules, and those
rules are necessary. If you restart the iptables service, or
otherwise drop those rules, all your guests will lose their network.
Either you're not using libvirtd, not running guests, or not rerunning
your firewall script. In any case, a fixed shell script is not
flexible enough for libvirt and some other services.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v
2:32 p.m.
New subject: q
Le lundi 06 décembre 2010 à 20:09 +0100, Miloslav Trmač a écrit :
Are there other reasons?
App writers are busy reinventing the wheel, changing the configuration
files syntax, and believing they can't do wrong; make sure their mess is
blocked at the outbound port before we get rooted.
--
Nicolas Mailhot
4:13 a.m.
New subject: Firewall
On Mon, Dec 06, 2010 at 11:00:53AM -0800, Jesse Keating wrote:
On 12/06/2010 10:07 AM, Miloslav Trmač wrote:
> Richard W.M. Jones píše v Po 06. 12. 2010 v 18:04 +0000:
>> On Mon, Dec 06, 2010 at 11:04:39AM -0500, Matt McCutchen wrote:
>>> On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote:
>>>> On most desktop systems firewall is not needed. Many users do not even
>>>> know how to configure it. In fact I disable it in most of my systems,
>>>> because there is no real use for it. So I asked a simple question
>>>> whether there is a need to install iptables by default?
>>>>
>>>> Your answer is not satisfactory for me - because not configured
>>>> firewall has nothing to do with security. In fact, it can only bring
>>>> false sense of security.
>>>
>>> I believe the default is to block incoming connections except for a few
>>> services. This is good if you are running a sloppily written
>>> single-user server that binds to the wildcard address. The Haskell
>>> Scion server fell in this category as of August 2009; I didn't look to
>>> see what a remote user might be able to do to me by connecting to it.
>>> Yes, the proper way to avoid problems is to bind to localhost, but the
>>> firewall can be nice.
>>
>> It would be nice if the firewall automatically followed services that
>> I have enabled and disabled. eg. If I explicitly enable the
>> webserver, it should open the corresponding port(s).
> Just disable the firewall and you'll get pretty much equivalent
> functionality.
> Mirek
>
Right, I always struggle with this. If you allow services that bind to
a port once enabled to have the port open, then what good does it do to
have the port closed?
I really wonder what real purpose a firewall serves on these machines.
Once you get past the "ZOMG WE NEED A FIREWALL"....
I can somewhat see a firewall trying to protect a system from a user
process that got launched without the user being aware and binding to a
high port for nefarious reasons, but how do you balance that with the
legitimate applications that bind to high ports?
There is one other point worth remembering wrt to IPv6 autoconfig.
A naive admin might be only be thinking in terms of IPv4 when
configuring services on their machine. With IPv6 autoconfig, any
Fedora host will automatically obtain globally routable IPv6
address & connectivity when recieving a router advertisement on
the local LAN. Thus any services that were bound to the wildcard
address, would immediately become reachable over IPv6. This
probably isn't a huge problem, since if the admin has already
enabled public access over IPv4 they've likely performed suitable
security setup for the service. It could be a problem though if
they've done something crazy like "use auth scheme X for IPs in
range A, and auth scheme Y for IPs in range B" and not considered
what auth scheme was requried for other ranges, or non-IPv4 addresses.
An ipv6 firewall enabled by default would require admins to take
explicit steps to expose the services, even when the machine were
automagically obtaining IPv6 connectivity without admin interaction.
Regards,
Daniel
3:02 a.m.
New subject: Firewall
Monday Miloslav Trma said:
Just disable the firewall and you'll get pretty much equivalent
functionality.
How? Now that the filter table and stateful connection tracking, aren't
modules anymore. They now appear to be built monolithic into the Fedora
kernel.
../C
11:19 a.m.
New subject: Firewall
Curtis Doty píše v St 08. 12. 2010 v 01:02 -0800:
Monday Miloslav Trma said:
> Just disable the firewall and you'll get pretty much equivalent
> functionality.
How? Now that the filter table and stateful connection tracking, aren't
modules anymore. They now appear to be built monolithic into the Fedora
kernel.
a) you trust the in-kernel firewall state connection tracking to track
connection state and handle unexpected packets according to the firewall
configuration.
b) you trust the in-kernel protocol stack (TCP/UDP) to track connection
state and handle unexpected packets according to ordinary rules of the
protocol.
Is there a significant difference? I don't know. The protocol stack
code might be more complex and thus more risky, on the other hand the
firewall state tracking is an additional code that is activated only for
the firewall and can also contain bugs. Yes, there is a difference in
code, but the resulting difference in security seems quite small to me.
Mirek
9 p.m.
New subject: Firewall
Yesterday Miloslav Trma said:
Curtis Doty píÿÿe v St 08. 12. 2010 v 01:02 -0800:
> Monday Miloslav Trma said:
>
>> Just disable the firewall and you'll get pretty much equivalent
>> functionality.
>
> How? Now that the filter table and stateful connection tracking, aren't
> modules anymore. They now appear to be built monolithic into the Fedora
> kernel.
a) you trust the in-kernel firewall state connection tracking to track
connection state and handle unexpected packets according to the firewall
configuration.
b) you trust the in-kernel protocol stack (TCP/UDP) to track connection
state and handle unexpected packets according to ordinary rules of the
protocol.
Why must statefull connection tracking be imposed on every Fedora user?
Don't get me wrong. I use netfilter all the time and love it. And it's
good to install the userland iptables tools and a simple firewall by
default. But when I'd like to choose Fedora without it (asymmetric routing
anyone?), I now have to rebuild the kernel. [harumph!]
Was there ever a good reason for making the filter table and conntrack
modules monolithic? They certainly didn't used to be built in...
../C
7:07 a.m.
New subject: Firewall
On 12/10/2010 04:00 AM, Curtis Doty wrote:
Yesterday Miloslav Trma said:
> Curtis Doty píÿÿe v St 08. 12. 2010 v 01:02 -0800:
>> Monday Miloslav Trma said:
>>
>>> Just disable the firewall and you'll get pretty much equivalent
>>> functionality.
>>
>> How? Now that the filter table and stateful connection tracking, aren't
>> modules anymore. They now appear to be built monolithic into the Fedora
>> kernel.
>
> a) you trust the in-kernel firewall state connection tracking to track
> connection state and handle unexpected packets according to the firewall
> configuration.
>
> b) you trust the in-kernel protocol stack (TCP/UDP) to track connection
> state and handle unexpected packets according to ordinary rules of the
> protocol.
Why must statefull connection tracking be imposed on every Fedora user?
Don't get me wrong. I use netfilter all the time and love it. And it's
good to install the userland iptables tools and a simple firewall by
default. But when I'd like to choose Fedora without it (asymmetric
routing anyone?), I now have to rebuild the kernel. [harumph!]
Was there ever a good reason for making the filter table and conntrack
modules monolithic? They certainly didn't used to be built in...
../C
Actually a few years ago when we tried building all netfilter helpers as
modules it turned out that some of them couldn't be unloaded afterwards
as they had cyclic ref counters. This was even discovered in fairly
recent kernels, e.g. 2.6.32 where this was still an issue with several
helper modules, though there unfortunately you were able to unload the
module but it left a memory hole there which got reused by other modules
which then lead to the inevitable OOPS at one point.
Right now most of them should be fixed now, at least from the tests we
were able to do. So imho there shouldn't be anything requiring the
modules to be built like that anymore except speed reasons (see a thread
on fedora-devel about this a while ago and the performance problems of
modprobe).
Thanks & regards, Phil
--
Philipp Knirsch | Tel.: +49-711-96437-470
Supervisor Core Services | Fax.: +49-711-96437-111
Red Hat GmbH | Email: Phil Knirsch <pknirsch(a)redhat.com>
Hauptstaetterstr. 58 | Web: http://www.redhat.com/
D-70178 Stuttgart, Germany
Motd: You're only jealous cos the little penguins are talking to me.
1:13 p.m.
New subject: Firewall
On 12/09/2010 09:00 PM, Curtis Doty wrote:
Why must statefull connection tracking be imposed on every Fedora
user?
Don't get me wrong. I use netfilter all the time and love it. And it's
good to install the userland iptables tools and a simple firewall by
default. But when I'd like to choose Fedora without it (asymmetric
routing anyone?), I now have to rebuild the kernel. [harumph!]
Was there ever a good reason for making the filter table and conntrack
modules monolithic? They certainly didn't used to be built in...
../C
Seems like there should be an easy way to 'opt-out' of connection
tracking. Have you tried anything like 'iptables -t raw -I PREROUTING
-j NOTRACK' ?
The iptables man-page says this about the 'raw' table:
" This table is used mainly for configuring exemptions from connection
tracking in combination with the NOTRACK target. It registers at the
netfilter hooks with higher priority and is thus called before
ip_conntrack, or any other IP tables. It provides the following
built-in chains: PREROUTING (for packets arriving via any network
interface) OUTPUT (for packets generated by local processes) "
Cheers.
-Jeff
8:18 p.m.
New subject: Firewall
Monday Jeff Raber said:
On 12/09/2010 09:00 PM, Curtis Doty wrote:
> Why must statefull connection tracking be imposed on every Fedora user?
>
> Don't get me wrong. I use netfilter all the time and love it. And it's
> good to install the userland iptables tools and a simple firewall by
> default. But when I'd like to choose Fedora without it (asymmetric
> routing anyone?), I now have to rebuild the kernel. [harumph!]
>
> Was there ever a good reason for making the filter table and conntrack
> modules monolithic? They certainly didn't used to be built in...
>
> ../C
Seems like there should be an easy way to 'opt-out' of connection
tracking. Have you tried anything like 'iptables -t raw -I PREROUTING
-j NOTRACK' ?
That's hardly opting out. Yes, loading the raw table and kicking each
frame with the NOTRACK flag is an option. But a whole world different from
the much more elegant solution of simply not loading the netfilter code at
all by default...let alone the conntrack module and both the filter and
raw table modules as well.
../C
3:24 p.m.
New subject: Firewall
On Tue, Dec 7, 2010 at 5:04 AM, Richard W.M. Jones <rjones(a)redhat.com>wrote:
On Mon, Dec 06, 2010 at 11:04:39AM -0500, Matt McCutchen wrote:
> On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote:
> > On most desktop systems firewall is not needed. Many users do not even
> > know how to configure it. In fact I disable it in most of my systems,
> > because there is no real use for it. So I asked a simple question
> > whether there is a need to install iptables by default?
> >
> > Your answer is not satisfactory for me - because not configured
> > firewall has nothing to do with security. In fact, it can only bring
> > false sense of security.
>
> I believe the default is to block incoming connections except for a few
> services. This is good if you are running a sloppily written
> single-user server that binds to the wildcard address. The Haskell
> Scion server fell in this category as of August 2009; I didn't look to
> see what a remote user might be able to do to me by connecting to it.
> Yes, the proper way to avoid problems is to bind to localhost, but the
> firewall can be nice.
It would be nice if the firewall automatically followed services that
I have enabled and disabled. eg. If I explicitly enable the
webserver, it should open the corresponding port(s).
Actually, just be a service is running doesn't mean you want it exposed to
the
world. I work as a web developer, so I have httpd running on my system,
but this doesn't me that I want everyone to be able to access this. My
httpd session is just for personal development and doesn't need to be
exposed just because it's running.
R.
7:57 p.m.
On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote:
There are no stupid questions :)
On most desktop systems firewall is not needed. Many users do not even
know how to configure it. In fact I disable it in most of my systems,
because there is no real use for it. So I asked a simple question
whether there is a need to install iptables by default?
On most laptops, however, which are the most common types of system sold
today, a firewall is very definitely needed when you're connecting to
hotel networks, public wifi access points...
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net
8:04 p.m.
Adam Williamson píše v Po 06. 12. 2010 v 17:57 -0800:
On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote:
> There are no stupid questions :)
>
> On most desktop systems firewall is not needed. Many users do not even
> know how to configure it. In fact I disable it in most of my systems,
> because there is no real use for it. So I asked a simple question
> whether there is a need to install iptables by default?
On most laptops, however, which are the most common types of system sold
today, a firewall is very definitely needed when you're connecting to
hotel networks, public wifi access points...
It's not quite as clear as that.
Yes, the networks are dangerous. But
what specifically is the firewall protecting, and what specifically does
it prevent?
Mirek
8:04 p.m.
On 12/06/2010 05:57 PM, Adam Williamson wrote:
On most laptops, however, which are the most common types of system
sold
today, a firewall is very definitely needed when you're connecting to
hotel networks, public wifi access points...
Please explain why. What actual service is the firewall rendering in
this case?
--
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating
8:08 p.m.
On Mon, 2010-12-06 at 17:57 -0800, Adam Williamson wrote:
On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote:
> There are no stupid questions :)
>
> On most desktop systems firewall is not needed. Many users do not even
> know how to configure it. In fact I disable it in most of my systems,
> because there is no real use for it. So I asked a simple question
> whether there is a need to install iptables by default?
On most laptops, however, which are the most common types of system sold
today, a firewall is very definitely needed when you're connecting to
hotel networks, public wifi access points...
We're trying to get beyond that conventional wisdom and look at what
services might actually get unintentionally exposed in the absence of a
firewall and whether there is some other solution (e.g., don't enable
them by default, or bind to localhost).
https://lists.fedoraproject.org/pipermail/devel/2010-December/146758.html
--
Matt
8:08 p.m.
Once upon a time, Adam Williamson <awilliam(a)redhat.com> said:
On most laptops, however, which are the most common types of system
sold
today, a firewall is very definitely needed when you're connecting to
hotel networks, public wifi access points...
The only thing you need a firewall by default for is to prevent services
that are listening on the network from being accessible. The better
solution is to stop having services listen on the network by default.
This was done for sendmail many years ago; why hasn't it been done for
other things, such as rpcbind (and RPC services), cups, etc.? These
daemons should bind to localhost only unless otherwise configured.
--
Chris Adams <cmadams(a)hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
2:27 a.m.
On Mon, 2010-12-06 at 20:08 -0600, Chris Adams wrote:
Once upon a time, Adam Williamson <awilliam(a)redhat.com> said:
> On most laptops, however, which are the most common types of system sold
> today, a firewall is very definitely needed when you're connecting to
> hotel networks, public wifi access points...
The only thing you need a firewall by default for is to prevent services
that are listening on the network from being accessible. The better
solution is to stop having services listen on the network by default.
This was done for sendmail many years ago; why hasn't it been done for
other things, such as rpcbind (and RPC services), cups, etc.? These
daemons should bind to localhost only unless otherwise configured.
In the cups case
might be probably reasonable to default to localhost.
However for rpcbind it is clearly not so - what's the point of starting
things that are mostly needed for NFS when you would be able to mount
only NFS provided by the localhost and export it to the localhost only
as well. In that sense it is debatable whether we want to have rpcbind
ON by default but having it on and bind to localhost only does not make
any sense to me.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
8:34 a.m.
Once upon a time, Tomas Mraz <tmraz(a)redhat.com> said:
In the cups case might be probably reasonable to default to
localhost.
However for rpcbind it is clearly not so - what's the point of starting
things that are mostly needed for NFS when you would be able to mount
only NFS provided by the localhost and export it to the localhost only
as well. In that sense it is debatable whether we want to have rpcbind
ON by default but having it on and bind to localhost only does not make
any sense to me.
Mounting remote NFS mounts doesn't require allowing the server to query
the local rpcbind, does it? I think you only need to allow remote
access to rpcbind if you are exporting filesystems, at which point you
are configuring things anyway, so configure rpcbind to listen on the
network.
I don't think this would be a big deal to require, since today you have
to reconfigure the firewall if you are configuring an NFS server.
--
Chris Adams <cmadams(a)hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
9:20 a.m.
2010/12/7 Tomas Mraz <tmraz(a)redhat.com>:
On Mon, 2010-12-06 at 20:08 -0600, Chris Adams wrote:
> Once upon a time, Adam Williamson <awilliam(a)redhat.com> said:
> > On most laptops, however, which are the most common types of system sold
> > today, a firewall is very definitely needed when you're connecting to
> > hotel networks, public wifi access points...
>
> The only thing you need a firewall by default for is to prevent services
> that are listening on the network from being accessible. The better
> solution is to stop having services listen on the network by default.
>
> This was done for sendmail many years ago; why hasn't it been done for
> other things, such as rpcbind (and RPC services), cups, etc.? These
> daemons should bind to localhost only unless otherwise configured.
In the cups case might be probably reasonable to default to localhost.
However for rpcbind it is clearly not so - what's the point of starting
things that are mostly needed for NFS when you would be able to mount
only NFS provided by the localhost and export it to the localhost only
as well. In that sense it is debatable whether we want to have rpcbind
ON by default but having it on and bind to localhost only does not make
any sense to me.
How many users use NFS on desktop? This is not even used on all servers.
So the question is - do we want to have NFS by default?
I use samba and I don't want to force all users to install it by default.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
--
devel mailing list
devel(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
--
Best regards,
Michal
Sent from my iToaster
9:55 a.m.
New subject: Fedora default services
On 12/07/2010 10:20 AM, Michał Piotrowski wrote:
How many users use NFS on desktop? This is not even used on all
servers.
So the question is - do we want to have NFS by default?
I use samba and I don't want to force all users to install it by default.
No idea how many but count me in - on our home network (assume thats
what a desktop is?) we use NFS for all the linux boxes (and mac's), and
samba for the small number of windows machines.
Are you talking of LiveCD install or regular full install - on the
latter for sure NFS should be installed - in my view. The former I never
use :-)
11:38 a.m.
New subject: Fedora default services
2010/12/7 Genes MailLists <lists(a)sapience.com>:
On 12/07/2010 10:20 AM, Michał Piotrowski wrote:
> How many users use NFS on desktop? This is not even used on all servers.
>
> So the question is - do we want to have NFS by default?
>
> I use samba and I don't want to force all users to install it by default.
>
No idea how many but count me in - on our home network (assume thats
what a desktop is?) we use NFS for all the linux boxes (and mac's), and
samba for the small number of windows machines.
Are you talking of LiveCD install or regular full install - on the
latter for sure NFS should be installed - in my view. The former I never
use :-)
Ok, but IMO NFS is not something essential and crucial for 99% boxes
out there, that needs to be turned on by default for all users. Do we
agree with this?
--
Best regards,
Michal
Sent from my iToaster
3:11 p.m.
On Mon, Dec 06, 2010 at 08:08:49PM -0600, Chris Adams wrote:
Once upon a time, Adam Williamson <awilliam(a)redhat.com> said:
> On most laptops, however, which are the most common types of system sold
> today, a firewall is very definitely needed when you're connecting to
> hotel networks, public wifi access points...
The only thing you need a firewall by default for is to prevent services
that are listening on the network from being accessible. The better
solution is to stop having services listen on the network by default.
This was done for sendmail many years ago; why hasn't it been done for
other things, such as rpcbind (and RPC services), cups, etc.? These
daemons should bind to localhost only unless otherwise configured.
Afaik ntpd, sobby and software written in erlang (e.g. ejabberd) does not
support this (completely).
Regards
Till
5:57 p.m.
Chris Adams wrote:
The only thing you need a firewall by default for is to prevent
services
that are listening on the network from being accessible. The better
solution is to stop having services listen on the network by default.
FWIW, this is what Ubuntu has been doing for ages (they call it "zero open
ports policy"), and AFAIK they do not enable iptables by default because of
this.
That said, "zero open ports" also got complaints, e.g. because they disabled
the CUPS web-based configuration interface to close port 631.
Kevin Kofler
11:01 a.m.
On Mon, 6 Dec 2010 06:34:45 +0100
Michał Piotrowski <mkkp4x4(a)gmail.com> wrote:
Hi,
W dniu 3 grudnia 2010 09:14 użytkownik Michał Piotrowski
<mkkp4x4(a)gmail.com> napisał:
[..]
> What services are installed by default when installong form Live
> GNOME/KDE/etc and DVD?
Ok, let's ask the question differently - what services should be run
by default to provide working system for desktop user?
Perhaps we can ask this even more differently:
What are you trying to do? Whats your high level goal here?
Boot speed? Number of packages installed?
IMO ssh can be off by default and should be started only if user
tries
to connect over port 22.
If systemd will allow us to do that, sure.
Do we really need to install iptables/ip6tables by default (it's
in
core group)?
Yes, I think so. Either firewall by default, or we need to make sure
nothing is running that listens externally to reduce security
footprint, IMHO.
kevin
11:17 a.m.
Kevin Fenzi (kevin(a)scrye.com) said:
> IMO ssh can be off by default and should be started only if user
tries
> to connect over port 22.
If systemd will allow us to do that, sure.
What's the point here? For example, this doesn't cut down on the number
of listening ports, obviously, nor on the requirements for root passwords
and potential root login. And if it's started in parallel, I doubt it's a
huge drain on resources.
Bill
11:22 a.m.
2010/12/6 Bill Nottingham <notting(a)redhat.com>:
Kevin Fenzi (kevin(a)scrye.com) said:
> > IMO ssh can be off by default and should be started only if user tries
> > to connect over port 22.
>
> If systemd will allow us to do that, sure.
What's the point here? For example, this doesn't cut down on the number
of listening ports, obviously, nor on the requirements for root passwords
and potential root login. And if it's started in parallel, I doubt it's a
huge drain on resources.
"For a fast and efficient boot-up two things are crucial:
* To start less.
* And to start more in parallel."
http://0pointer.de/blog/projects/systemd.html
IMO "start less" philosophy is a good thing.
Bill
--
devel mailing list
devel(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
--
Best regards,
Michal
Sent from my iToaster
11:30 a.m.
Michał Piotrowski (mkkp4x4(a)gmail.com) said:
>> If systemd will allow us to do that, sure.
>
> What's the point here? For example, this doesn't cut down on the number
> of listening ports, obviously, nor on the requirements for root passwords
> and potential root login. And if it's started in parallel, I doubt it's a
> huge drain on resources.
"For a fast and efficient boot-up two things are crucial:
* To start less.
* And to start more in parallel."
http://0pointer.de/blog/projects/systemd.html
IMO "start less" philosophy is a good thing.
Yes. However, I'm leery of adding too many drastic changes that don't have
upstream buy-in yet. What's upstream openssh's opinion on socket activation?
Bill
1:22 p.m.
2010/12/6 Bill Nottingham <notting(a)redhat.com>:
Michał Piotrowski (mkkp4x4(a)gmail.com) said:
> >> If systemd will allow us to do that, sure.
> >
> > What's the point here? For example, this doesn't cut down on the number
> > of listening ports, obviously, nor on the requirements for root passwords
> > and potential root login. And if it's started in parallel, I doubt it's
a
> > huge drain on resources.
>
> "For a fast and efficient boot-up two things are crucial:
>
> * To start less.
> * And to start more in parallel."
>
> http://0pointer.de/blog/projects/systemd.html
>
> IMO "start less" philosophy is a good thing.
Yes. However, I'm leery of adding too many drastic changes that don't have
upstream buy-in yet.
I understand your POV.
What's upstream openssh's opinion on socket activation?
Does openssh stands out something special between other demons?
Bill
--
devel mailing list
devel(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
--
Best regards,
Michal
Sent from my iToaster
1:32 p.m.
Michał Piotrowski píše v Po 06. 12. 2010 v 20:22 +0100:
2010/12/6 Bill Nottingham <notting(a)redhat.com>:
Does openssh stands out something special between other demons?
Actually, it does -
for remote installations (sometimes the only option)
ssh needs to be running after installation so that the system
administrator can connect to it and start configuring it. Other
services are not necessary like this.
(Yes, the system administrator can write a kickstart script that enables
the service after installation. I'm not sure that something we can ask
a novice sysadmin to do, however.)
Mirek
5:18 p.m.
New subject: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On Mon, 06.12.10 12:30, Bill Nottingham (notting(a)redhat.com) wrote:
Michał Piotrowski (mkkp4x4(a)gmail.com) said:
> >> If systemd will allow us to do that, sure.
> >
> > What's the point here? For example, this doesn't cut down on the
number
> > of listening ports, obviously, nor on the requirements for root passwords
> > and potential root login. And if it's started in parallel, I doubt it's
a
> > huge drain on resources.
>
> "For a fast and efficient boot-up two things are crucial:
>
> * To start less.
> * And to start more in parallel."
>
> http://0pointer.de/blog/projects/systemd.html
>
> IMO "start less" philosophy is a good thing.
Yes. However, I'm leery of adding too many drastic changes that don't have
upstream buy-in yet. What's upstream openssh's opinion on socket activation?
There's no need to patch ssh. It can do inetd-style socket activation
just fine, and has been supporting that upstream since basically its
inception. From that I would deduce that upstream is fine with
it. systemd supports inetd-style activation too just fine. MacOS X has
been installing sshd by default with socket activation enabled, and if
they can do that I think we can do that on Fedora, too.
(There are cases where socket-activated ssh is not useful, and you want
the real-deal with sshd listening itself, but that shouldn't stop us
from installing sshd socket-activated by default, since it is easy to
switch back to the traditional way.)
Lennart
--
Lennart Poettering - Red Hat, Inc.
11:17 a.m.
W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi <kevin(a)scrye.com> napisał:
On Mon, 6 Dec 2010 06:34:45 +0100
Michał Piotrowski <mkkp4x4(a)gmail.com> wrote:
> Hi,
>
> W dniu 3 grudnia 2010 09:14 użytkownik Michał Piotrowski
> <mkkp4x4(a)gmail.com> napisał:
> [..]
> > What services are installed by default when installong form Live
> > GNOME/KDE/etc and DVD?
>
> Ok, let's ask the question differently - what services should be run
> by default to provide working system for desktop user?
Perhaps we can ask this even more differently:
What are you trying to do?
I'm trying to convert sysvinit scripts to systemd services (as many as possible)
Whats your high level goal here?
Boot speed? Number of packages installed?
I know it will not be possible to convert all sysvinit scripts for
F15, but at least we can try to provide "full systemd experience" for
most common configurations.
--
Best regards,
Michal
Sent from my iToaster
11:43 a.m.
On Mon, 6 Dec 2010 18:17:51 +0100
Michał Piotrowski <mkkp4x4(a)gmail.com> wrote:
W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi
<kevin(a)scrye.com>
napisał:
...snip...
> What are you trying to do?
I'm trying to convert sysvinit scripts to systemd services (as many
as possible)
If you're trying to determine what units should be enabled by default,
please talk to the Fedora Packaging Comittee.
See also:
https://fedorahosted.org/fesco/ticket/504
Where fesco decided:
"Default is off, exceptions exist to allow proper functioning of the
os. FPC to document exceptions and process exception requests."
FPC was going to work on a exceptions list I think...
kevin
11:55 a.m.
W dniu 6 grudnia 2010 18:43 użytkownik Kevin Fenzi <kevin(a)scrye.com> napisał:
On Mon, 6 Dec 2010 18:17:51 +0100
Michał Piotrowski <mkkp4x4(a)gmail.com> wrote:
> W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi <kevin(a)scrye.com>
> napisał:
...snip...
> > What are you trying to do?
>
> I'm trying to convert sysvinit scripts to systemd services (as many
> as possible)
If you're trying to determine what units should be enabled by default,
please talk to the Fedora Packaging Comittee.
See also:
https://fedorahosted.org/fesco/ticket/504
Where fesco decided:
"Default is off, exceptions exist to allow proper functioning of the
os. FPC to document exceptions and process exception requests."
FPC was going to work on a exceptions list I think...
This list will be useful.
Dear FPC people, could you provide this list in the near future?
kevin
--
devel mailing list
devel(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
--
Best regards,
Michal
Sent from my iToaster
5:07 p.m.
On Mon, Dec 06, 2010 at 06:55:20PM +0100, Michał Piotrowski wrote:
W dniu 6 grudnia 2010 18:43 użytkownik Kevin Fenzi
<kevin(a)scrye.com> napisał:
> On Mon, 6 Dec 2010 18:17:51 +0100
> Michał Piotrowski <mkkp4x4(a)gmail.com> wrote:
>
>> W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi <kevin(a)scrye.com>
>> napisał:
>
> ...snip...
>
>> > What are you trying to do?
>>
>> I'm trying to convert sysvinit scripts to systemd services (as many
>> as possible)
>
> If you're trying to determine what units should be enabled by default,
> please talk to the Fedora Packaging Comittee.
>
> See also:
> https://fedorahosted.org/fesco/ticket/504
>
> Where fesco decided:
>
> "Default is off, exceptions exist to allow proper functioning of the
> os. FPC to document exceptions and process exception requests."
>
> FPC was going to work on a exceptions list I think...
This list will be useful.
Dear FPC people, could you provide this list in the near future?
Feedback appreciated -- what do you think should be on? What do you think
should be off? Right now I think we'd make an exception for ssh (a really
big exception since it's a network facing service, even). Dbus and
default syslog variant also spring to mind which might be. Those might be
able to start defining a category of "things needed to run a desktop
session" or something.
iptables, auditd, restorecond sound like keepers -- maybe a category here
would be things that add to system security in a default install. For this
category we'd want to be careful, do we also want to allow fail2ban or
denyhosts to run by default if they're installed?
Other categories or specific examples would be good.
-Toshio
5:38 p.m.
2010/12/7 Toshio Kuratomi <a.badger(a)gmail.com>:
On Mon, Dec 06, 2010 at 06:55:20PM +0100, Michał Piotrowski wrote:
> W dniu 6 grudnia 2010 18:43 użytkownik Kevin Fenzi <kevin(a)scrye.com> napisał:
> > On Mon, 6 Dec 2010 18:17:51 +0100
> > Michał Piotrowski <mkkp4x4(a)gmail.com> wrote:
> >
> >> W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi <kevin(a)scrye.com>
> >> napisał:
> >
> > ...snip...
> >
> >> > What are you trying to do?
> >>
> >> I'm trying to convert sysvinit scripts to systemd services (as many
> >> as possible)
> >
> > If you're trying to determine what units should be enabled by default,
> > please talk to the Fedora Packaging Comittee.
> >
> > See also:
> > https://fedorahosted.org/fesco/ticket/504
> >
> > Where fesco decided:
> >
> > "Default is off, exceptions exist to allow proper functioning of the
> > os. FPC to document exceptions and process exception requests."
> >
> > FPC was going to work on a exceptions list I think...
>
> This list will be useful.
>
> Dear FPC people, could you provide this list in the near future?
>
Feedback appreciated -- what do you think should be on? What do you think
should be off? Right now I think we'd make an exception for ssh (a really
big exception since it's a network facing service, even).
Ok
Dbus and
default syslog variant also spring to mind which might be.
Ok
Those might be
able to start defining a category of "things needed to run a desktop
session" or something.
iptables,
no chance to disable this
I guess ip6tables too?
auditd, restorecond sound like keepers -- maybe a category here
would be things that add to system security in a default install.
These are things related to core system security, so should be enabled.
For this
category we'd want to be careful, do we also want to allow fail2ban or
denyhosts to run by default if they're installed?
No, other things not related with SELinux (or something that we could
call "core security subsystem") should be IMHO off by default.
Other categories or specific examples would be good.
Cron - but should be activated only when cron files exist
It seems to me that the list:
- ssh
- Dbus
- syslog
- iptables
- ip6tables
- auditd
- restorecond
is an absolute minimum to get "working system".
- udev-post ? - is it needed for F15?
- mdmonitor and lvm2-monitor? - are they needed for proper working MD's/LVM's?
- network/Networkmanager ?
Everything else that is not essential for Fedora security, basic
desktop functionality should be IMO off by default.
-Toshio
--
devel mailing list
devel(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
--
Best regards,
Michal
Sent from my iToaster
6:03 p.m.
On Tue, 2010-12-07 at 00:38 +0100, Michał Piotrowski wrote:
Cron - but should be activated only when cron files exist
It seems to me that the list:
- ssh
- Dbus
- syslog
- iptables
- ip6tables
- auditd
- restorecond
is an absolute minimum to get "working system".
I don't agree that ssh is required for a "working system". A desktop
user may never ssh to his/her own machine. (Whether to enable ssh by
default is a different question.)
--
Matt
6:07 p.m.
2010/12/7 Matt McCutchen <matt(a)mattmccutchen.net>:
On Tue, 2010-12-07 at 00:38 +0100, Michał Piotrowski wrote:
> Cron - but should be activated only when cron files exist
>
> It seems to me that the list:
> - ssh
> - Dbus
> - syslog
> - iptables
> - ip6tables
> - auditd
> - restorecond
> is an absolute minimum to get "working system".
I don't agree that ssh is required for a "working system".
It's required for all systems without display device
A desktop
user may never ssh to his/her own machine.
That's why it should be socket activated as soon as possible
(Whether to enable ssh by
default is a different question.)
--
Matt
--
devel mailing list
devel(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
--
Best regards,
Michal
Sent from my iToaster
6:43 p.m.
On Tue, 2010-12-07 at 01:07 +0100, Michał Piotrowski wrote:
2010/12/7 Matt McCutchen <matt(a)mattmccutchen.net>:
> On Tue, 2010-12-07 at 00:38 +0100, Michał Piotrowski wrote:
>> Cron - but should be activated only when cron files exist
>>
>> It seems to me that the list:
>> - ssh
>> - Dbus
>> - syslog
>> - iptables
>> - ip6tables
>> - auditd
>> - restorecond
>> is an absolute minimum to get "working system".
>
> I don't agree that ssh is required for a "working system".
It's required for all systems without display device
That is, some servers. It needs to be easy to enable sshd when
installing a server, but I don't see a reason to have it enabled by
default on desktops.
--
Matt
9:53 p.m.
New subject: Fedora default services
On 12/06/2010 07:07 PM, Michał Piotrowski wrote:
> A desktop
> user may never ssh to his/her own machine.
That's why it should be socket activated as soon as possible
Question - what do we imagine happens if user starts a service
listening on port 2222 (which happens to be sshd) ? Will the firewall
open up that port to the outside ? Or is the answer nothing as 2222 is
not a designated auto start service ?
1:52 a.m.
Dne 7.12.2010 01:03, Matt McCutchen napsal(a):
I don't agree that ssh is required for a "working
system". A desktop
user may never ssh to his/her own machine. (Whether to enable ssh by
default is a different question.)
Please do keep sshd enabled by default ... be it daemon, inetd service,
systemd service, or whatever is the current fad. It is so useful for
remote administering even very desktop computers of our spouses,
parents, aunts on the other side of the city. Yes, it is difficult to
explain them how to get their current IP address from whatsmyip.com, but
it would cripplingly difficult to explain them how to start a daemon.
Please.
Matěj
9:05 a.m.
New subject: Fedora default services
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/06/2010 07:03 PM, Matt McCutchen wrote:
On Tue, 2010-12-07 at 00:38 +0100, Michał Piotrowski wrote:
> Cron - but should be activated only when cron files exist
>
> It seems to me that the list:
> - ssh
> - Dbus
> - syslog
> - iptables
> - ip6tables
> - auditd
> - restorecond
> is an absolute minimum to get "working system".
I don't agree that ssh is required for a "working system". A desktop
user may never ssh to his/her own machine. (Whether to enable ssh by
default is a different question.)
restorecond is not required and defaults to off.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkz+TTQACgkQrlYvE4MpobPvOQCgx4DorcCRSrqnSVWCUaPOPYZJ
I78AoJhTwVX2NVU6Zek+dKgGpQ0TX2eC
=mOp9
-----END PGP SIGNATURE-----
6:10 p.m.
On Tue, Dec 07, 2010 at 12:38:07AM +0100, Michał Piotrowski wrote:
2010/12/7 Toshio Kuratomi <a.badger(a)gmail.com>:
> Those might be
> able to start defining a category of "things needed to run a desktop
> session" or something.
>
> iptables,
no chance to disable this
I'd be more inclined to ask what benefit we have to turning the firewall off
vs having a more permissive set of firewall rules by default. AFAIK,
turning the firewall on doesn't currently turn on any additional daemon --
it just sets up the defined rules.
I guess ip6tables too?
Yep.
Would you be willing to write up a Packaging Draft and add it to the FPC
tracker? If not, I'll bring it up in the Packaging Meeting on Wednesday
morning.
-Toshio
12:14 a.m.
2010/12/7 Toshio Kuratomi <a.badger(a)gmail.com>:
On Tue, Dec 07, 2010 at 12:38:07AM +0100, Michał Piotrowski wrote:
> 2010/12/7 Toshio Kuratomi <a.badger(a)gmail.com>:
> > Those might be
> > able to start defining a category of "things needed to run a desktop
> > session" or something.
> >
> > iptables,
>
> no chance to disable this
>
I'd be more inclined to ask what benefit we have to turning the firewall off
vs having a more permissive set of firewall rules by default. AFAIK,
turning the firewall on doesn't currently turn on any additional daemon --
it just sets up the defined rules.
> I guess ip6tables too?
>
Yep.
Would you be willing to write up a Packaging Draft and add it to the FPC
tracker? If not, I'll bring it up in the Packaging Meeting on Wednesday
morning.
I'm not Fedora developer, I just create service files :)
-Toshio
--
devel mailing list
devel(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
--
Best regards,
Michal
Sent from my iToaster
1:04 a.m.
On Tue, Dec 07, 2010 at 07:14:16AM +0100, Michał Piotrowski wrote:
2010/12/7 Toshio Kuratomi <a.badger(a)gmail.com>:
> On Tue, Dec 07, 2010 at 12:38:07AM +0100, Michał Piotrowski wrote:
>> 2010/12/7 Toshio Kuratomi <a.badger(a)gmail.com>:
>> > Those might be
>> > able to start defining a category of "things needed to run a desktop
>> > session" or something.
>> >
>> > iptables,
>>
>> no chance to disable this
>>
> I'd be more inclined to ask what benefit we have to turning the firewall off
> vs having a more permissive set of firewall rules by default. AFAIK,
> turning the firewall on doesn't currently turn on any additional daemon --
> it just sets up the defined rules.
>
>> I guess ip6tables too?
>>
> Yep.
>
> Would you be willing to write up a Packaging Draft and add it to the FPC
> tracker? If not, I'll bring it up in the Packaging Meeting on Wednesday
> morning.
I'm not Fedora developer, I just create service files :)
Okay... I doubt we'll nail this down for a while then.... Here's the ticket
I've opened:
https://fedorahosted.org/fpc/ticket/41
I have a feeling those categories don't account for everything yet... For
instance, readahead, abrtd... look in your /etc/init.d/ directory on F14 and
tell me what things that are there could have a justification.
-Toshio
6:28 p.m.
New subject: Fedora default services
>>>> "MP" == Michał Piotrowski
<mkkp4x4(a)gmail.com> writes:
MP> Dear FPC people, could you provide this list in the near future?
We haven't even met since it was decided that we were to do this. I
imagine it would take a couple of meetings to bang out a list.
- J<
4858
days inactive
4890
days old
135 comments
39 participants
participants (39)
-
Adam Jackson -
Adam Williamson -
Bastien Nocera -
Bill Nottingham -
Chris Adams -
Curtis Doty -
Daniel J Walsh -
Daniel P. Berrange -
Dennis Jacobfeuerborn -
Domingo Becker -
Genes MailLists -
Hans de Goede -
Jason L Tibbitts III -
Jeff Raber -
Jesse Keating -
Kevin Fenzi -
Kevin Kofler -
Lennart Poettering -
Matej Cepl -
Matt McCutchen -
Matthew Miller -
Matthias Clasen -
Michael Cronenworth -
Michał Piotrowski -
Miloslav Trmač -
Nicolas Mailhot -
nodata -
Orion Poplawski -
Phil Knirsch -
Richard W.M. Jones -
Rodd Clarkson -
Seth Vidal -
Stephen John Smoogen -
Till Maas -
Tim Waugh -
Tom Lane -
Tomas Mraz -
Tomasz Torcz -
Toshio Kuratomi