Firewall

[Chris Adams]

Once upon a time, Bill Nottingham <notting at redhat.com> said:
> Chris Adams (cmadams at hiwaay.net) said: 
> > > a) binds to a local unprivileged UDP port
> > > b) sends a broadcast SNMP request
> > > c) listens for (unicast) responses to that request
> > > 
> > > We don't hear any of those responses because they are not recognised as
> > > "related" by the kernel.  The iptables rules drop them.
> > > 
> > > If the CUPS snmp backend could say to "the firewall", "hey, please allow
> > > responses on this port I've got for the next few seconds" -- which can
> > > be controlled using PolicyKit -- then this network discovery would
> > > finally work.
> > 
> > Congrats, you have re-invented UPnP, although a local-only version
> > maybe (not that I think that is necessarily a bad thing).
> 
> I could be wrong, but I'd guess that any SNMP implementation probably
> predates UPnP by a good bit.

Oh yeah, that's not what I meant.  I meant the "daemon needs to notify
firewall of temporary change" mechanism is not a new requirement.  UPnP
may not be the best way of doing that, but it would probably be better
to implement that for this kind of thing, rather than re-invent the
wheel.

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.