On Mon, Oct 27, 2008 at 03:53:30PM -0400, David Zeuthen wrote: > Hence, if people want to share files using, say, Rhythmbox (and they > do), they are left with either > > 1. Turning of the firewall > 2. Configuring iptables(8) or using system-config-firewall > > Now, let me explain to you how RB/Banshee/gnome-user-share works. They > allocate a random high port number. Now, before you complain that you > think this in broken you have to understand why this is so. > > The programs have to do this because you may have several sessions or > instances running. So in general you can't really predict the port > number (or even range) to use since the user may add new services that > share stuff on the network. > > So in general 2. won't really work (because you'd have to update it > dynamically) so users of course resort to 1. Wow, what's that thing > going out the window? That other useful stuff that we might have > configured the iptables(8) stack with except for blocking ports. But dynamical ports are not new to iptables, lots of protocols, be that rpc, h323 or even p-o-d passive ftp need them and conntrack/pom rectify the `static firewall' view. I haven't followed up the latest netfilter developments, but I know there is even a userspace lib for registering such connections. Maybe RB/mDNS and friends just need a pom `plugin'. Note that just as you turn off iptables and prefer selinux, I do that the other way around, as my selinux foo is less than desirable. I guess both of us are not really doing The Right Thing, but sometimes time matters. -- Axel.Thimm at ATrpms.net
Attachment:
pgpVVqdHjHMn1.pgp
Description: PGP signature
-- Fedora-desktop-list mailing list Fedora-desktop-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-desktop-list
