"Workstation" Product defaults to wide-open firewall
Pete Travis
lists at petetravis.com
Tue Dec 9 19:09:23 UTC 2014
On Dec 9, 2014 12:06 PM, "Chuck Anderson" <cra at wpi.edu> wrote:
>
> On Tue, Dec 09, 2014 at 11:52:01AM -0700, Pete Travis wrote:
> > On Dec 9, 2014 11:33 AM, "Chuck Anderson" <cra at wpi.edu> wrote:
> > I should have said "ask firewalld for a port to be opened" - sorry, I
> > thought that would come from the context.
> >
> > Are you saying bind() should be talking to firewalld, via some approval
> > agent? how do we make that happen?
>
> My point was that a firewall is superfluous if a program can just ask
> firewalld to poke a hole in the firewall for it automatically, because
> a program can already ask the system to open a listening port for it
> using bind(2) (and listen(2) and accept(2)) when no firewall is
> present.
>
> It means that in a world where automatic-hole-punching exists, the
> only use of a firewall on the host is maybe to limit the SCOPE of such
> communication, not whether such communication is allowed at all or
> not. This is where firewall zones come in.
Okay, one more thing on the ideal requirements list: firewalld must not
blindly approve all requests, there must be some approval mechanism. What
would that look like?
--Pete
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141209/f49497d8/attachment-0001.html>
More information about the devel
mailing list