"Workstation" Product defaults to wide-open firewall
lists at petetravis.com
Tue Dec 9 19:09:23 UTC 2014
On Dec 9, 2014 12:06 PM, "Chuck Anderson" <cra at wpi.edu> wrote:
> On Tue, Dec 09, 2014 at 11:52:01AM -0700, Pete Travis wrote:
> > On Dec 9, 2014 11:33 AM, "Chuck Anderson" <cra at wpi.edu> wrote:
> > I should have said "ask firewalld for a port to be opened" - sorry, I
> > thought that would come from the context.
> > Are you saying bind() should be talking to firewalld, via some approval
> > agent? how do we make that happen?
> My point was that a firewall is superfluous if a program can just ask
> firewalld to poke a hole in the firewall for it automatically, because
> a program can already ask the system to open a listening port for it
> using bind(2) (and listen(2) and accept(2)) when no firewall is
> It means that in a world where automatic-hole-punching exists, the
> only use of a firewall on the host is maybe to limit the SCOPE of such
> communication, not whether such communication is allowed at all or
> not. This is where firewall zones come in.
Okay, one more thing on the ideal requirements list: firewalld must not
blindly approve all requests, there must be some approval mechanism. What
would that look like?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the devel