Networking and the firewall (Was Re: Isn't it time for the encrypted file system???)

Daniel J Walsh dwalsh at redhat.com
Tue Mar 28 16:02:05 UTC 2006 

David Zeuthen wrote:
> On Tue, 2006-03-28 at 09:51 +0200, Alexander Larsson wrote:
>   
>> I must say I'm slightly bothered by the "lets have the apps punch holes
>> in the firewall" approach. If any app can open holes in the firewall,
>> what use is the firewall then? It will only be protecting ports that no
>> application is listening too.
>>     
>
> Sure, of course, we need auth from the user (ask them to put in their
> own password or the root password [1]) to open the hole as Alan says.
> Just allowing any app to open arbitrary ports would be a security hole.
>
> We might need some fixes both kernel- and g-u-s-side too to make this
> work in a secure way; e.g. reuse same port number next time; only
> allow /usr/bin/httpd to bind to that port etc etc
>
> I must say.. I'm slightly annoyed by the fact that we put in a feature
> like g-u-s and just don't fix this and expect the user to Google his way
> out of this. We already know that the only way to fix this right now is
> to turn off the firewall. Not very cool. 
>
> Can someone please look at this for FC6? And at the same time make sure
> the Banshee and Rhythmbox's of the world can use this feature too? Maybe
> even push an API 
>
>     David
>
> [1] : the PolicyKit stuff I'm working on will make this much easier
> though it will require the firewall to export a system-level service to
> allow punching holes...
>
>   
Should also be wrapped in SELinux to make sure some random app does not 
ask for this.  If I am a user and NetworkManager pops a window saying 
somethine like
"In order to run correctly I need your computer to turn purple, and run 
the Hypervizor at Warp 3"  I am going to answer the question, "Yes"

So only apps with  a security policy should even be able to do this.
>   
>> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>>  Alexander Larsson                                            Red Hat, Inc 
>>                    alexl at redhat.com    alla at lysator.liu.se 
>> He's a short-sighted amnesiac filmmaker from a doomed world. She's a 
>> supernatural hip-hop safe cracker fleeing from a Satanic cult. They fight 
>> crime! 
>>
>> --
>> Fedora-maintainers mailing list
>> Fedora-maintainers at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-maintainers
>>     
>
> --
> Fedora-maintainers mailing list
> Fedora-maintainers at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-maintainers
>

More information about the Fedora-maintainers mailing list