F21 System Wide Change: Workstation: Disable firewall

Alec Leamas leamas.alec at gmail.com
Tue Apr 15 18:31:44 UTC 2014


On 4/15/14, drago01 <drago01 at gmail.com> wrote:
> On Tue, Apr 15, 2014 at 6:13 PM, Andrew Lutomirski <luto at mit.edu> wrote:
[cut]
>> I keep thinking that, if I had unlimited time, I'd write a totally
>> different kind of firewall.  It would allow some policy (userspace
>> daemon or rules loaded into the kernel) to determine when programs can
>> listen on what sockets and when connections can be accepted on those
>> sockets.
>
> We could do that today by using selinux and confine all programs into
> a domain that does not allow listing to any ports.
> Those that have to should get labeled by a different type.
>
> We could go as far as do that for unconfined_t as well and have the
> user chcon to a "allow_ports_prog_t" or something (and have a boolean
> to shut it off for everything).
>
> But I am not sure this is less of a hassle then a firewall though.

Agreed. Anyway, some users disable selinux because it get's in their
way, exactly as the firewall. Would be interesting to have some idea
of percentages for this (% disabled firewalls, %disabled selinux) out
there, but I presume it's hopeless.

Anyway, I get the feeling that the hunt for the "really proper" fix is
not that fruitful here. OTOH, if you limit the goals to fulfill the
basic statement to not let the default configuration of firewalld
block the functionality of the default Workstations applications it
should certainly be doable without writing a new firewall. Not the
most elegant, ultimate solution, but something which solves the
problem at hand.

--a


More information about the devel mailing list