Firewall blocking desktop features

Daniel J Walsh dwalsh at redhat.com
Wed Sep 11 15:24:52 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/11/2013 09:18 AM, Reindl Harald wrote:
> 
> 
> Am 11.09.2013 15:05, schrieb Daniel J Walsh:
>> On 09/11/2013 08:56 AM, Alec Leamas wrote:
>>> Although this would work for both our wifes I'd hate it myself. There
>>> need to be some way in  the interface to understand what's *really*
>>> going on here, the ports opened, triggers etc. But not unless
>>> requested, agreed.
>> 
>> My idea is that Samba registers something with firewalld that says here
>> is the prompt to show if a process in user space says to open port 2345.
> 
> very very bad idea!
> 
In a perfect world I agree.  Sadly we need something better then we currently
have.

Microsoft tried the tell the user about every port connection and this does
not work, because users have no idea.

I am trying to find some happy ground between, telling everyone you have to
disable firewall to do cool stuff on the desktop.

If a random prompt came up that says "Do you want to share FOOBAR on the
internet"?  A non educated user could have a chance of saying No? If it kept
on happening, he might even ask someone why his machine is acting weird.

But if he just said setup sharing of FOOBAR he would understand this and make
the correct decision.

We have a tool that could be used for labeling the processes that are asking,
SELinux, but we would have to eliminate the unconfined_t domain :^(.

> that means if the is no samba running and whatever harmful process needs to
> open incoming connections it would trigger the promt for samba
> 
> these is the way to go only if you want to design a security nightmare
> 
>> The problem with this solution is potential conflicts in port numbers and
>> pps that just use random ports (Which I think should just not be allowed
>> to use the service and would require to disable the firewall.)
> 
> the real problem i described above
> 
> as long the is no way to get *predictable* which service/process is aksing
> for open a specific port and verify this on the system level this all is
> completly pointless
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlIwi0QACgkQrlYvE4MpobOOsgCeNKvHYntJyqHecZ3w8SUdk37n
+koAn3/y/dI73xIT428bj/23Ryzl/CSK
=h307
-----END PGP SIGNATURE-----

More information about the devel mailing list