Services automaticly change firewall rules to open access to themselfs.

Arthur Pemberton pemboa at
Tue Sep 4 19:24:15 UTC 2007

On 9/4/07, Ian Burrell <ianburrell at> wrote:
> On 9/1/07, Bruno Wolff III <bruno at> wrote:
> > On Sat, Sep 01, 2007 at 14:07:17 +0200,
> >   Benny Amorsen <benny+usenet at> wrote:
> > >
> > > Administrators sometimes want to limit which traffic can reach
> > > applications, and perhaps limit the risk when accidentally starting
> > > applications. Automating firewall setup makes that useless.
> >
> > That is probably the main reason. And having apps undo restrictions seems
> > like a really really bad idea.
> >
> > Plus I have no confidence that apps can properly rewrite iptables rules
> > correctly. iptables setups can have complications which will make it
> > hard to change them. I have used subroutines for checking reserved ip
> > ranges and have had services configured to only be available to local
> > ip addresses or specific interfaces.
> >
> > I think the idea of having some way to help people who want a service
> > available to the internet at large or some local ip addresses is a good
> > idea, but it needs to be an add on step that can be skipped, not some
> > invisible change behind the scenes.
> >
> I wonder if the solution is to display the linkage between services
> and firewall rules in the configuration tools.  People would make the
> changes in the tools but they would know what is needed.  For
> system-config-securitylevel, one possibility is to highlight the
> services that are enabled but haven't been opened.
> Another help would have system-config-services print out a warning if
> the user enables a service but the firewall rule is not opened.
> system-config-services could probably show a dialog box that opens the
> firewall rule.  This would probably only work if
> system-config-securitylevel is managing the firewall.

Seems like a fair compromise.

Fedora 7 : sipping some of that moonshine
( )

More information about the fedora-devel-list mailing list