What I HATE about F11
Adam Williamson
awilliam at redhat.com
Tue Jun 16 23:39:36 UTC 2009
On Sun, 2009-06-14 at 19:36 +0100, Matthew Garrett wrote:
> > there is an interesting issue;
> > if you poke a hole in your firewall for all the ports that are listening
> > automatically..... you might as well not have a firewall in the first
> > place...
>
> Well, not exactly. For instance, making it part of package management
> policy means that runtime user-level compromises can't poke holes. It
> could be tied to packages with recognised signatures. There's various
> ways that it could be tied down in such a way that the firewall still
> provides a benefit without leaving users in the current situation of "I
> installed nss-mdns and I still can't look up my media server".
Here's another variation on the popular AdamW theme "Wot Mandriva
Does"...
Mandriva has a firewall configuration tool with a neat feature. Ports
can be associated with packages (in the code, not by the user). So, oh,
say, the default port most bittorrent apps use (I forget what it is,
8881 or something) is associated with all the packages in Mandriva which
do bittorrent. When you run the firewall configuration tool, if any of
those packages is installed, a "Bittorrent" checkbox shows up in the
'dead simple' interface - just check the box and Bittorrent magically
works!
I used this for Windows Mobile sync stuff: WM sync requires something of
an assortment of ports to be open in the firewall (four of five of 'em).
So I just made the firewall config tool associate that set of ports with
the libsynce package; if you have libsynce installed, the firewall
config tool gives you a nice little checkbox (marked 'Windows Mobile
Synchronization' or something) that opens all those ports for you.
It's a rather old system that looks a bit hacky from one perspective,
but seems to satisfy the requests in this thread rather well: it's very
easy to use but doesn't just open the firewall automatically.
Well, just an observation. I can provide a link to the code if anyone
cares, but if Fedora wanted to do something similar it'd probably just
get re-done from scratch, as MDV's code is of course in perl...
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net
More information about the fedora-devel-list
mailing list