F21 System Wide Change: Workstation: Disable firewall

Simo Sorce simo at redhat.com
Tue Apr 15 16:31:37 UTC 2014

On Tue, 2014-04-15 at 09:13 -0700, Andrew Lutomirski wrote:
> I keep thinking that, if I had unlimited time, I'd write a totally
> different kind of firewall.  It would allow some policy (userspace
> daemon or rules loaded into the kernel) to determine when programs can
> listen on what sockets and when connections can be accepted on those
> sockets.  This avoids the attack surface of iptables, it will be
> faster, it can cause programs to actually report errors if you want
> them to, and it could be a lot easier to configure.
> Wouldn't it be great if, when you start some program that wants to
> listen globally, your system could prompt you and ask whether it was
> okay, even if that program didn't know about firewalld?
I think what you are describing could be probably realized with SELinux
today, just with a special setroubleshoot frontend that catches the AVC
when the service tries to listen and ask the user if he wants to allow

However this would still not be completely sufficient as you completely
lack any context about what network you are operating on.

The firewall's purpose is to block access to local services on bad
networks too, it is not a binary open/close equation when you have
machines (laptops) that roam across a variety of networks.


Simo Sorce * Red Hat, Inc * New York

More information about the devel mailing list