Firewall blocking desktop features

Reindl Harald h.reindl at thelounge.net
Wed Sep 11 21:50:52 UTC 2013



Am 11.09.2013 23:18, schrieb Mateusz Marzantowicz:
> On 11.09.2013 17:24, Daniel J Walsh wrote:
>> On 09/11/2013 09:18 AM, Reindl Harald wrote:
>>>> The problem with this solution is potential conflicts in port numbers and
>>>> pps that just use random ports (Which I think should just not be allowed
>>>> to use the service and would require to disable the firewall.)
>>
>>> the real problem i described above
>>
>>> as long the is no way to get *predictable* which service/process is aksing
>>> for open a specific port and verify this on the system level this all is
>>> completly pointless
> 
> Interesting discussion but several things doesn't fit together for me:
> 
> 1. It's firewall's job to manage and keep track of opened ports and
> established connection so it also should be the piece of software that
> asks user if he wants to allow network traffic or not.

yes

> 2. Why you say there is no way for firewall to know which app is
> requesting specific port to be opened? There is a process name and path
> and it could be identified. 

could - well, "could" is not a working implementation

show a working implementation
firewall means iptables
yes, firewalld is nothing else than writing netfilter rules)

> It's also easy to maintain database of most commonly used binaries and 
> ports that they'd like to open/close. If you don't trust binaries on 
> your system it means it's already been compromised and firewall is then 
> useless

in case of *desktop features* most of the time you are speaking
about not so well known ports like 80,443,445

and what i fight against is the proposal someone brought in
this thread is that the *application defines* the message
which the user confirms to open a port - from security point
of view this is the most stupid way to go and will later end
in a nightmare

> 3. If you allow each app to ask for permission to open some port, it'll
> certainly be done in thousand different ways and lack of consistency
> isn't going to help users

*what*?

where do i say anything about 1000 different ways?
the *opposite* is what i claim all the time must happen

and what most people do not realize here is that the whole system
(netfilter, network stack, applications) need to work tight together
in the case of a request because the application layer still sends
data and you have to consider queue packets and after open the firewall
send them to the application or whatever you liked to do likely will fail

so with the current state of play there is a lot of infrastructure
missing for even loudly consider to implement "desktop firewalls"
as knwon from the windows world and honestly before there are done
mistakes i clearly say "do not touch it at all" simply because it
worked over decades, it is still working and before now one comes out
and says "but not comfortable enough" he should take a breath and
realize that if it comes to security it works *always* against of
comfort with *no* exceptions at all




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130911/f214d99b/attachment.sig>


More information about the devel mailing list