Firewall
Chris Adams
cmadams at hiwaay.net
Tue Dec 7 15:27:28 UTC 2010
Once upon a time, Bill Nottingham <notting at redhat.com> said:
> Chris Adams (cmadams at hiwaay.net) said:
> > > a) binds to a local unprivileged UDP port
> > > b) sends a broadcast SNMP request
> > > c) listens for (unicast) responses to that request
> > >
> > > We don't hear any of those responses because they are not recognised as
> > > "related" by the kernel. The iptables rules drop them.
> > >
> > > If the CUPS snmp backend could say to "the firewall", "hey, please allow
> > > responses on this port I've got for the next few seconds" -- which can
> > > be controlled using PolicyKit -- then this network discovery would
> > > finally work.
> >
> > Congrats, you have re-invented UPnP, although a local-only version
> > maybe (not that I think that is necessarily a bad thing).
>
> I could be wrong, but I'd guess that any SNMP implementation probably
> predates UPnP by a good bit.
Oh yeah, that's not what I meant. I meant the "daemon needs to notify
firewall of temporary change" mechanism is not a new requirement. UPnP
may not be the best way of doing that, but it would probably be better
to implement that for this kind of thing, rather than re-invent the
wheel.
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the devel
mailing list