On Mon, 27.10.08 22:45, Axel Thimm (Axel.Thimm@xxxxxxxxxx) wrote: > On Mon, Oct 27, 2008 at 03:53:30PM -0400, David Zeuthen wrote: > > Hence, if people want to share files using, say, Rhythmbox (and they > > do), they are left with either > > > > 1. Turning of the firewall > > 2. Configuring iptables(8) or using system-config-firewall > > > > Now, let me explain to you how RB/Banshee/gnome-user-share works. They > > allocate a random high port number. Now, before you complain that you > > think this in broken you have to understand why this is so. > > > > The programs have to do this because you may have several sessions or > > instances running. So in general you can't really predict the port > > number (or even range) to use since the user may add new services that > > share stuff on the network. > > > > So in general 2. won't really work (because you'd have to update it > > dynamically) so users of course resort to 1. Wow, what's that thing > > going out the window? That other useful stuff that we might have > > configured the iptables(8) stack with except for blocking ports. > > But dynamical ports are not new to iptables, lots of protocols, be > that rpc, h323 or even p-o-d passive ftp need them and conntrack/pom > rectify the `static firewall' view. But all those protocols start the connection with a well known port and then hand things off to a dynamic port. If you use truely random ports than iptables needs to sense what kind of protocol something is based on the packet contents. Which security-wise is a joke, and hence the whole idea makes no sense. > I haven't followed up the latest netfilter developments, but I know > there is even a userspace lib for registering such connections. Maybe > RB/mDNS and friends just need a pom `plugin'. The Linux kernel already has an API for that. It's called listen(). Lennart -- Lennart Poettering Red Hat, Inc. lennart [at] poettering [dot] net ICQ# 11060553 http://0pointer.net/lennart/ GnuPG 0x1A015CC4 -- Fedora-desktop-list mailing list Fedora-desktop-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-desktop-list
