Firewall blocking desktop features
leamas.alec at gmail.com
Wed Sep 11 12:56:12 UTC 2013
On 2013-09-11 14:46, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 09/11/2013 06:35 AM, Heiko Adams wrote:
>> Am 11.09.2013 12:30, schrieb Alec Leamas:
>>> That said, I see your point. Seems to boil down to that only the
>>> application knows which port(s) to open and why, whereas only the
>>> firewall can guarantee that it actually opens the ports requested by
>>> user instead of something else.
>> So the application needs to ask the firewall to open one or more ports and
>> the firewall has to ask the user for permission to do so. In this szenario
>> the firewall knows what application wants which port(s) to be open. Letting
>> the application directly ask for permission to punch holes in the firewall
>> is IMHO the worst case of all and a securiry nightmare.
> Asking my wife if she intends to open port 2345 is a waste of time. She has
> no idea whether or not this is required. And will quickly learn to answer ok.
> Asking her "Do you want to make security changes to share directory
> /home/phyllis/Share?" Or
> Do you want to make security changes to share Printer XYZ?
> Would make sense.
> If we had applications register prompts/ports in the installed package that
> firewalld could look up and send the prompt to the user would be the best
> solution to this problem.
> This of course does not stop firefox plugin from attempting to share a
> directory, but my wife would have more of a chance to say no.
Although this would work for both our wifes I'd hate it myself. There
need to be some way in the interface to understand what's *really*
going on here, the ports opened, triggers etc. But not unless requested,
More information about the devel