On Mon, 27.10.08 23:08, Axel Thimm (Axel.Thimm@xxxxxxxxxx) wrote: > On Mon, Oct 27, 2008 at 09:55:56PM +0100, Lennart Poettering wrote: > > > But dynamical ports are not new to iptables, lots of protocols, be > > > that rpc, h323 or even p-o-d passive ftp need them and conntrack/pom > > > rectify the `static firewall' view. > > > > But all those protocols start the connection with a well known port > > and then hand things off to a dynamic port. If you use truely random > > ports than iptables needs to sense what kind of protocol something is > > based on the packet contents. Which security-wise is a joke, and > > hence the whole idea makes no sense. > > And there are services that use truely random ports? E.g. w/o any > handshaking or negotiation about these ports by well-defined > processes? Why do we have mDNS/DNS-SD/SSDP for? So you are suggesting that a firewall should automatically whitelist all ports that are announced via mDNS on the network? Wow. That it is certainly one hell of a good idea. Oh my. Are you sure you really understand what "security" means? "Security" certainly doesn't mean whitelisting everything that someone likes to announce on the network via mDNS/DNS-SD. > > > I haven't followed up the latest netfilter developments, but I know > > > there is even a userspace lib for registering such connections. Maybe > > > RB/mDNS and friends just need a pom `plugin'. > > > > The Linux kernel already has an API for that. It's called listen(). > > Cool, so any local non-priviledged process could open up holes in the > firewall above ports 1024 as it pleases w/o the user even noticing. Yes. Absolutely. If he wants to use an app he will circumvent the fw anyway. And hence the fw is pointless and it would be far smoother to allow this kind of operation without nagging. > Why not remove password protection from accounts while we are at it? > ;) Hmm, so you did have a clown for breakfast, didn't you? Lennart -- Lennart Poettering Red Hat, Inc. lennart [at] poettering [dot] net ICQ# 11060553 http://0pointer.net/lennart/ GnuPG 0x1A015CC4 -- Fedora-desktop-list mailing list Fedora-desktop-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-desktop-list
