On Mon, Oct 27, 2008 at 09:55:56PM +0100, Lennart Poettering wrote: > > But dynamical ports are not new to iptables, lots of protocols, be > > that rpc, h323 or even p-o-d passive ftp need them and conntrack/pom > > rectify the `static firewall' view. > > But all those protocols start the connection with a well known port > and then hand things off to a dynamic port. If you use truely random > ports than iptables needs to sense what kind of protocol something is > based on the packet contents. Which security-wise is a joke, and > hence the whole idea makes no sense. And there are services that use truely random ports? E.g. w/o any handshaking or negotiation about these ports by well-defined processes? Why do we have mDNS/DNS-SD/SSDP for? Just like FTP negotiates the `truely random' ports, so do the zeroconf techniques with ips/ports/services. iptables/netfilter already has intelligent agents to parse the passing packages for needed dynamical firewall configration. Just check it out, and maybe you'll rethink about the netfilter project. :) > > I haven't followed up the latest netfilter developments, but I know > > there is even a userspace lib for registering such connections. Maybe > > RB/mDNS and friends just need a pom `plugin'. > > The Linux kernel already has an API for that. It's called listen(). Cool, so any local non-priviledged process could open up holes in the firewall above ports 1024 as it pleases w/o the user even noticing. Why not remove password protection from accounts while we are at it? ;) -- Axel.Thimm at ATrpms.net
Attachment:
pgpqrtiJe1yav.pgp
Description: PGP signature
-- Fedora-desktop-list mailing list Fedora-desktop-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-desktop-list
