auto-firewall configuration
Havoc Pennington
hp at redhat.com
Fri Apr 23 04:01:52 UTC 2004
On Thu, 2004-04-22 at 21:23, Jens Knutson wrote:
> On Thu, 2004-04-22 at 19:59, Matthew Miller wrote:
> > > desktop, that probably means everything is closed. If someone starts a
> > > service, the initscript or whatever can open the port. If you don't want a
> > > port open, stop the service.
> >
> > In that case, why even _have_ a firewall? If nothing's listening on a port,
> > it's not like anyone can connect to it.
>
I suppose it's just for the case where you want to listen for
connections from the local machine, but not from other machines?
(Could use domain sockets for this too)
Also perhaps to block non-root users from starting servers on unreserved
ports.
> but then... if a service is to be made available, you can't have the
> firewall turned on for that port, so why have the service if the
> firewall will just prevent it from functioning?
>
Right, you just want to say "these services are available to the
network, and nothing else is available" - and have the firewall and
which daemons are started up reflect the desired availability.
I don't know. I'd be curious to hear about people who do anything
complex with firewalling a single system. I know people do really
complex things with a system that _is_ a firewall for a whole network.
But for a standalone system firewalling itself it seems like you always
want "enable the services this system provides, and disable everything
else" - which seems like it can be automated if we have knowledge of
those services.
Havoc
More information about the Fedora-desktop-list
mailing list