iptables/firewall brainstorming

Chuck Anderson cra at WPI.EDU
Sun Jun 14 19:09:28 UTC 2009 

On Sun, Jun 14, 2009 at 12:30:41PM -0600, Kevin Fenzi wrote:
> On Sun, 14 Jun 2009 18:34:52 +0100
> Matthew Garrett <mjg at redhat.com> wrote:
> 
> > On Sun, Jun 14, 2009 at 06:13:51PM +0200, Julian Aloofi wrote:
> > 
> > > So, solving this is pretty easy, even for newbies. But I agree that
> > > the error message will not help someone without advanced knowledge.
> > > Although I think people running Samba generally will know where to
> > > look for the problem.
> > 
> > I think this is actually a problem that needs solving. We have
> > several network services that are either installed by default or
> > might be expected to be part of a standard setup, but which don't
> > work because of the default firewall rules. The Anaconda people have
> > (sensibly, IMHO) refused to simply add further exceptions to the
> > firewall policy.
> > 
> > So, what should happen here? Should we leave the firewall enabled in 
> > these cases* by default and require admins to open them? If so, is
> > there any way that we can make this easier in some
> > Packagekit-oriented manner? If not, how should we define that
> > packages indicate that they need ports opened? Should this be handled
> > at install time or run time?
> > 
> > * The case that I keep hitting is mDNS resolution, which requires 
> > opening a hole in the firewall

For the case of mDNS resolution, we should create a nf_conntrack 
module to track outbound requests and allow the related replies back 
in.  This case is identical to the Samba browsing case where we 
created nf_conntrack_netbios_ns [1].  We need a nf_conntrack_mdns too.

> I keep wondering if we couldn't come up with something
> like a /etc/iptables.d/ type setup somehow that would work for these
> cases. 

That might be a good idea for services, but for clients (Samba NetBIOS 
browsing, mDNS, other client-initiated broadcast/multicast-based 
browsing or discovery protocols) we should just unconditionally 
install and enable iptables conntrack modules to handle them by 
default [1] [2].  Clients should just work out-of-the-box without 
requiring any user configuration.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=113918
[2] https://bugzilla.redhat.com/show_bug.cgi?id=469884

More information about the fedora-devel-list mailing list