"Workstation" Product defaults to wide-open firewall
Pete Travis
lists at petetravis.com
Tue Dec 9 19:51:16 UTC 2014
On Dec 9, 2014 12:38 PM, "Chuck Anderson" <cra at wpi.edu> wrote:
>
> On Tue, Dec 09, 2014 at 12:09:23PM -0700, Pete Travis wrote:
> > On Dec 9, 2014 12:06 PM, "Chuck Anderson" <cra at wpi.edu> wrote:
> > >
> > > On Tue, Dec 09, 2014 at 11:52:01AM -0700, Pete Travis wrote:
> > > > On Dec 9, 2014 11:33 AM, "Chuck Anderson" <cra at wpi.edu> wrote:
> > > > I should have said "ask firewalld for a port to be opened" - sorry,
I
> > > > thought that would come from the context.
> > > >
> > > > Are you saying bind() should be talking to firewalld, via some
approval
> > > > agent? how do we make that happen?
> > >
> > > My point was that a firewall is superfluous if a program can just ask
> > > firewalld to poke a hole in the firewall for it automatically, because
> > > a program can already ask the system to open a listening port for it
> > > using bind(2) (and listen(2) and accept(2)) when no firewall is
> > > present.
> > >
> > > It means that in a world where automatic-hole-punching exists, the
> > > only use of a firewall on the host is maybe to limit the SCOPE of such
> > > communication, not whether such communication is allowed at all or
> > > not. This is where firewall zones come in.
> >
> > Okay, one more thing on the ideal requirements list: firewalld must not
> > blindly approve all requests, there must be some approval mechanism.
What
> > would that look like?
>
> You either have a pre-approved policy of what is allowed and what is
> not similar to how SELinux policy, PolicyKit rules, and the existing
> firewall rule mechanisms work, you ask the user on each request,
> similar to how some Windows firewalls work, or you ask the user when
> they connect to a network which "zone" to associate that network with,
> and use a pre-approved policy for each zone. Zones can be "Home",
> "Public", "Work", etc. Windows does this as well.
>
Hmm... a whitelist of things that are allowed to ask for firewall
accommodation doesn't help me develop new applications at all. And you're
jumping to a really high level UI thing and just sort of hand waving over
the mechanism needed to make it all work. Assigning different networks to
zones is a different problem compared to a program asking for a port.
--Pete
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141209/f7314484/attachment.html>
More information about the devel
mailing list