Services automaticly change firewall rules to open access to themselfs.

[Ian Burrell]

On 9/1/07, Bruno Wolff III <bruno at wolff.to> wrote:
> On Sat, Sep 01, 2007 at 14:07:17 +0200,
>   Benny Amorsen <benny+usenet at amorsen.dk> wrote:
> >
> > Administrators sometimes want to limit which traffic can reach
> > applications, and perhaps limit the risk when accidentally starting
> > applications. Automating firewall setup makes that useless.
>
> That is probably the main reason. And having apps undo restrictions seems
> like a really really bad idea.
>
> Plus I have no confidence that apps can properly rewrite iptables rules
> correctly. iptables setups can have complications which will make it
> hard to change them. I have used subroutines for checking reserved ip
> ranges and have had services configured to only be available to local
> ip addresses or specific interfaces.
>
> I think the idea of having some way to help people who want a service
> available to the internet at large or some local ip addresses is a good
> idea, but it needs to be an add on step that can be skipped, not some
> invisible change behind the scenes.
>

I wonder if the solution is to display the linkage between services
and firewall rules in the configuration tools.  People would make the
changes in the tools but they would know what is needed.  For
system-config-securitylevel, one possibility is to highlight the
services that are enabled but haven't been opened.

Another help would have system-config-services print out a warning if
the user enables a service but the firewall rule is not opened.
system-config-services could probably show a dialog box that opens the
firewall rule.  This would probably only work if
system-config-securitylevel is managing the firewall.

 - Ian