Firewall blocking desktop features

Bill Peck bpeck at redhat.com
Wed Sep 11 14:25:04 UTC 2013


On 09/11/2013 06:30 AM, Alec Leamas wrote:
> On 2013-09-11 12:02, Nicolas Mailhot wrote:
>> Le Mer 11 septembre 2013 11:23, Alec Leamas a écrit :
>>> On 2013-09-11 11:11, Heiko Adams wrote:
>>>> Am 11.09.2013 10:41, schrieb Ankur Sinha:
>>>>> - These software inform and take permission from the user before
>>>>> opening
>>>>> ports in the firewall.
>>>> IMHO it should be the job of the firewall to inform the user about an
>>>> application that want's to open one or more ports and ask for 
>>>> permission
>>>> to open that ports either temporary for the current session or
>>>> permanent.
>>>>
>>>>
>>> Is this a good idea? The firewall just knows aboyt an attempt to use a
>>> specific port. It does not know which application which *really* is
>>> trying to use that port. It could certainly make an educated guess, but
>>> that's just not good enough in this context IMHO.
>>>
>>> OTOH, the application knows what ports it needs (even some which just
>>> might be used later) and can also identify itself to the user. Seems
>>> more reasonable to me.
>> The application can lie and propose to open X and then when user says ok
>> open Y. The prompt really needs to be initiated firewall-side
>>
>>
> True. But isn't there  a lot to do if we should safefuard against 
> local, lying applications?  Well, we have the precompiled, proprietary 
> ones...
>
> Even if an app isn't  malware, most applications are just not designed 
> for a scenario where the user is prompted to punch o hole in the 
> firewall as soon as an attempt is done. There might be surprises down 
> this road.
>
> That said, I see your point.  Seems to boil down to that only the 
> application knows which port(s)  to open and why, whereas only the 
> firewall can guarantee  that it actually opens the ports requested by 
> user instead of something else.
>
> --alec

Application should request the ports to be opened and the firewalld 
layer should then confirm with the user stating which ports and which 
app requested said ports.  The app can't lie if the firewall layer is 
the one asking for confirmation.



More information about the devel mailing list