Browser mode for nautilus

Axel Thimm Axel.Thimm at
Mon Oct 27 21:08:13 UTC 2008

On Mon, Oct 27, 2008 at 09:55:56PM +0100, Lennart Poettering wrote:
> > But dynamical ports are not new to iptables, lots of protocols, be
> > that rpc, h323 or even p-o-d passive ftp need them and conntrack/pom
> > rectify the `static firewall' view.
> But all those protocols start the connection with a well known port
> and then hand things off to a dynamic port.  If you use truely random
> ports than iptables needs to sense what kind of protocol something is
> based on the packet contents. Which security-wise is a joke, and
> hence the whole idea makes no sense.

And there are services that use truely random ports? E.g. w/o any
handshaking or negotiation about these ports by well-defined
processes? Why do we have mDNS/DNS-SD/SSDP for?

Just like FTP negotiates the `truely random' ports, so do the zeroconf
techniques with ips/ports/services.

iptables/netfilter already has intelligent agents to parse the passing
packages for needed dynamical firewall configration. Just check it
out, and maybe you'll rethink about the netfilter project. :)

> > I haven't followed up the latest netfilter developments, but I know
> > there is even a userspace lib for registering such connections. Maybe
> > RB/mDNS and friends just need a pom `plugin'.
> The Linux kernel already has an API for that. It's called listen().

Cool, so any local non-priviledged process could open up holes in the
firewall above ports 1024 as it pleases w/o the user even noticing.

Why not remove password protection from accounts while we are at it? ;)
Axel.Thimm at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <>

More information about the Fedora-desktop-list mailing list