Firewall blocking desktop features
Daniel J Walsh
dwalsh at redhat.com
Wed Sep 11 12:46:14 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/11/2013 06:35 AM, Heiko Adams wrote:
> Am 11.09.2013 12:30, schrieb Alec Leamas:
>>
>> That said, I see your point. Seems to boil down to that only the
>> application knows which port(s) to open and why, whereas only the
>> firewall can guarantee that it actually opens the ports requested by
>> user instead of something else.
>>
> So the application needs to ask the firewall to open one or more ports and
> the firewall has to ask the user for permission to do so. In this szenario
> the firewall knows what application wants which port(s) to be open. Letting
> the application directly ask for permission to punch holes in the firewall
> is IMHO the worst case of all and a securiry nightmare.
>
>
>
Asking my wife if she intends to open port 2345 is a waste of time. She has
no idea whether or not this is required. And will quickly learn to answer ok.
Asking her "Do you want to make security changes to share directory
/home/phyllis/Share?" Or
Do you want to make security changes to share Printer XYZ?
Would make sense.
If we had applications register prompts/ports in the installed package that
firewalld could look up and send the prompt to the user would be the best
solution to this problem.
This of course does not stop firefox plugin from attempting to share a
directory, but my wife would have more of a chance to say no.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIwZhYACgkQrlYvE4MpobO2awCfU+l1bnGFR7nymjUO16PyfB+v
7YkAn0Yegzql2b0SfMq04s0ic+hJfvsJ
=6ZgX
-----END PGP SIGNATURE-----
More information about the devel
mailing list