On Mon, 2008-10-27 at 19:19 +0100, Valent Turkovic wrote:
> > Just disable the firewall (service iptables stop)? That's what I do
> > anyway. IMNSHO, these days the firewall is a relic from the 1990's era.
> > It breaks at least mDNS (e.g. .local name resolution), gnome-user-share,
> > banshee/rhythmbox etc. music sharing. I also think we should also
> > disable the firewall for the desktop spin.
> >
> > David
>
> When I suggested only for ipv6iptables (not fully understanding it) to
> be disabled for Desktop spin I got trashed on devel mailing list, so
> good luck with that ;)
These are people that are probably happy about the current user
experience and for whom iptables(8) and system-config-firewall probably
are the right tools. And if you run a server, these tools may (or may
not but I digress) be the right answer.
However, for the desktop, the 1990s called and they want their firewall
back. And we should comply since today the desktop is completely broken
when it comes to file/music sharing. It's ironic isn't it? We go through
all this effort to implement this stuff (Lennart with .local resolution
in Avahi, others like Jon McCann for DAAP support in RB, Alex and
Bastien for file sharing) and leave broken in the default install? It's
ridiculous!
(Of course we are not going to just do "-iptables" in the Desktop
kickstart file, we need to properly assess the situation. Today, unlike
the 1990s, we have the ability to confine services with things like
SELinux. We could restrict access to local link only (mDNS would work,
wide area DNS-SD wouldn't work which is fine) in the default install. We
have stack smashing protection. Privilege separation. Etc. It's not
exactly rocket science to do this (but not trivial either); someone just
needs to sit down and work out a threat assessment, figure out what
changes we need and then just do it.)
David
--
Fedora-desktop-list mailing list
Fedora-desktop-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-desktop-list
