RFE: FireKit

Stephen Gallagher sgallagh at redhat.com
Fri Jul 24 12:05:25 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/23/2009 05:54 PM, Ahmed Kamal wrote:
>>To me it seems like a great idea, but your usual computer user
> 
>     does not really know about Apache and ports, IP's and the like.
> 
> 
> Exactly the point, the user shares his desktop, or starts some service
> using the services GUI, and FireKit should offer to help. Moreover, this
> actually would improve desktop security, since without FireKit, a
> typical user after wasting half an hour, would understand it was the
> firewall blocking him, and would simply disable it for good. This
> happens on any OS. However, with FireKit, pro-actively offering to help
> the user, and requesting by default a limited time-window for opening
> the ports, actually ensures a better desktop security
>  
> 
>     Other than that, if you need help, ask.
> 
> 
> I do :) I'm not sure how this should integrate with policy-kit for
> allowing which users should be able to control the firewall. Should
> FireKit launch its own daemon that runs all the time, or is there some
> other way. How to control iptables without running shell commands, and
> how to hook on ports creation events. I guess I should be using some
> python RTNETLINK bindings, any ideas?
> Any examples, design decisions, and pointers to code samples to make my
> life easier, are highly appreciated
>  
> 
>     What language do you intend to implement this in?
> 
> 
> But of course python ;)
> 
> Regards
> 

Python does not make for a particularly efficient long-running daemon.
And if your plan is to monitor for port openings in order to prompt,
it's going to need to be a long-running daemon (also you'll probably
want a kernel module component to signal your daemon when a port is opened)

If I might suggest, you probably want to use a compiled language like C.
The GLib C framework is probably a good approach, especially with its
excellent glib-dbus integration.

Furthermore, it would be an excellent idea to start putting together a
project and try to recruit developers. I'd recommend requesting a
project from someplace like Fedorahosted (or sourceforge, or freshmeat,
etc., but I like Fedorahosted personally... makes it easy for other
Fedora developers to contribute).

- -- 
Stephen Gallagher
RHCE 804006346421761

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkppo38ACgkQeiVVYja6o6PsfwCeMXRsHV106STAtPBnSzjcXx8V
tZQAoKRovvna7y2YHbJV+jn5JT0bYHvo
=eU6D
-----END PGP SIGNATURE-----

More information about the devel mailing list