On Mon, 2006-03-27 at 19:54 -0500, David Zeuthen wrote:
> IIRC there were similar issues with SMB browsing and alexl did a
> netfilter kernel module to work around this around the FC3 / RHEL4
> time-frame; not sure it's that easy for g-u-s and the media players.
That was not the same sort of issue. The SMB browse issue was, we send a
UDP multicast packet, and the reply gets filtered because the firewall
doesn't understand the returned packet is a reply. This was fixed by
writing a special connection tracker for such traffic.
The problem with g-u-s is that this really is a server that other people
connect to, which is exactly the kind of thing we enable the firewall to
prevent.
I must say I'm slightly bothered by the "lets have the apps punch holes
in the firewall" approach. If any app can open holes in the firewall,
what use is the firewall then? It will only be protecting ports that no
application is listening too.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander Larsson Red Hat, Inc
alexl@xxxxxxxxxx alla@xxxxxxxxxxxxxx
He's a short-sighted amnesiac filmmaker from a doomed world. She's a
supernatural hip-hop safe cracker fleeing from a Satanic cult. They fight
crime!
