Firewall blocking desktop features

Alec Leamas leamas.alec at gmail.com
Wed Sep 11 12:56:12 UTC 2013


On 2013-09-11 14:46, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/11/2013 06:35 AM, Heiko Adams wrote:
>> Am 11.09.2013 12:30, schrieb Alec Leamas:
>>> That said, I see your point.  Seems to boil down to that only the
>>> application knows which port(s)  to open and why, whereas only the
>>> firewall can guarantee  that it actually opens the ports requested by
>>> user instead of something else.
>>>
>> So the application needs to ask the firewall to open one or more ports and
>> the firewall has to ask the user for permission to do so. In this szenario
>> the firewall knows what application wants which port(s) to be open. Letting
>> the application directly ask for permission to punch holes in the firewall
>> is IMHO the worst case of all and a securiry nightmare.
>>
>>
>>
> Asking my wife if she intends to open port 2345 is a waste of time.  She has
> no idea whether or not this is required.  And will quickly learn to answer ok.
>
> Asking her "Do you want to make security changes to share directory
> /home/phyllis/Share?"  Or
>
> Do you want to make security changes to share Printer XYZ?
>
> Would make sense.
>
> If we had applications register prompts/ports in the installed package that
> firewalld could look up and send the prompt to the user would be the best
> solution to this problem.
>
> This of course does not stop firefox plugin from attempting to share a
> directory, but my wife would have more of a chance to say no.
>
Although this would work for both our wifes I'd hate it myself. There 
need to be some way in  the interface to understand what's *really* 
going on here, the ports opened, triggers etc. But not unless requested, 
agreed.


More information about the devel mailing list