On Sun, Jun 14, 2009 at 12:30:41PM -0600, Kevin Fenzi wrote: > On Sun, 14 Jun 2009 18:34:52 +0100 > Matthew Garrett <mjg@xxxxxxxxxx> wrote: > > > On Sun, Jun 14, 2009 at 06:13:51PM +0200, Julian Aloofi wrote: > > > > > So, solving this is pretty easy, even for newbies. But I agree that > > > the error message will not help someone without advanced knowledge. > > > Although I think people running Samba generally will know where to > > > look for the problem. > > > > I think this is actually a problem that needs solving. We have > > several network services that are either installed by default or > > might be expected to be part of a standard setup, but which don't > > work because of the default firewall rules. The Anaconda people have > > (sensibly, IMHO) refused to simply add further exceptions to the > > firewall policy. > > > > So, what should happen here? Should we leave the firewall enabled in > > these cases* by default and require admins to open them? If so, is > > there any way that we can make this easier in some > > Packagekit-oriented manner? If not, how should we define that > > packages indicate that they need ports opened? Should this be handled > > at install time or run time? > > > > * The case that I keep hitting is mDNS resolution, which requires > > opening a hole in the firewall For the case of mDNS resolution, we should create a nf_conntrack module to track outbound requests and allow the related replies back in. This case is identical to the Samba browsing case where we created nf_conntrack_netbios_ns [1]. We need a nf_conntrack_mdns too. > I keep wondering if we couldn't come up with something > like a /etc/iptables.d/ type setup somehow that would work for these > cases. That might be a good idea for services, but for clients (Samba NetBIOS browsing, mDNS, other client-initiated broadcast/multicast-based browsing or discovery protocols) we should just unconditionally install and enable iptables conntrack modules to handle them by default [1] [2]. Clients should just work out-of-the-box without requiring any user configuration. [1] https://bugzilla.redhat.com/show_bug.cgi?id=113918 [2] https://bugzilla.redhat.com/show_bug.cgi?id=469884 -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
