Browser mode for nautilus
Axel Thimm
Axel.Thimm at ATrpms.net
Mon Oct 27 21:08:13 UTC 2008
On Mon, Oct 27, 2008 at 09:55:56PM +0100, Lennart Poettering wrote:
> > But dynamical ports are not new to iptables, lots of protocols, be
> > that rpc, h323 or even p-o-d passive ftp need them and conntrack/pom
> > rectify the `static firewall' view.
>
> But all those protocols start the connection with a well known port
> and then hand things off to a dynamic port. If you use truely random
> ports than iptables needs to sense what kind of protocol something is
> based on the packet contents. Which security-wise is a joke, and
> hence the whole idea makes no sense.
And there are services that use truely random ports? E.g. w/o any
handshaking or negotiation about these ports by well-defined
processes? Why do we have mDNS/DNS-SD/SSDP for?
Just like FTP negotiates the `truely random' ports, so do the zeroconf
techniques with ips/ports/services.
iptables/netfilter already has intelligent agents to parse the passing
packages for needed dynamical firewall configration. Just check it
out, and maybe you'll rethink about the netfilter project. :)
> > I haven't followed up the latest netfilter developments, but I know
> > there is even a userspace lib for registering such connections. Maybe
> > RB/mDNS and friends just need a pom `plugin'.
>
> The Linux kernel already has an API for that. It's called listen().
Cool, so any local non-priviledged process could open up holes in the
firewall above ports 1024 as it pleases w/o the user even noticing.
Why not remove password protection from accounts while we are at it? ;)
--
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-desktop-list/attachments/20081027/457df017/attachment.sig>
More information about the Fedora-desktop-list
mailing list