low-hanging fruit
Lennart Poettering
mzerqung at 0pointer.de
Mon Aug 20 00:07:35 UTC 2007
On Fri, 17.08.07 02:30, Bastien Nocera (bnocera at redhat.com) wrote:
> > Anybody for firewall2allow? (:
>
> Maybe Lennart can fix it too? :)
>
> Here's an old entry in my bookmarks:
> http://0pointer.de/lennart/projects/fieryfilter/
> http://0pointer.de/lennart/projects/fieryfilter/fieryfilter.png
>
> This probably needs UI love, and use of D-Bus instead of Unix sockets
> for the admin rights, but the idea is there.
Fieryfilter used the userspace QUEUE netfilter target to do its
work. That sucked big time, because if the user didn't click away his
dialogs quick enough the sender would repeat its packet which is
difficult to deal with if you don't want to accumulate dialogs for the
same packets.
If someone wants to investigate the whole desktop firewall for Linux
thing a little more I think it would make more sense to write an LSM
module for that kernel that intercepts the socket calls (i.e,
accept(), listen(), connect() and friends) and relays them to
userspace for a verdict. Would be much cleaner and simpler. And would
also be a good excuse to keep LSM in the kernel. ;-)
(Hmm, that could also be integrated with PolicyKit...)
Last time I looked it was difficult to stack LSMs, hence this all is
not trivial.
When you do all that (moving it on the D-Bus, a new UI and basing the
work on LSM instead of netfilter) then you would not be able tokeep a
single line of code of the old fieryfilter.
Lennart
--
Lennart Poettering Red Hat, Inc.
lennart [at] poettering [dot] net ICQ# 11060553
http://0pointer.net/lennart/ GnuPG 0x1A015CC4
More information about the desktop
mailing list