On Sun, 2009-06-14 at 19:36 +0100, Matthew Garrett wrote: > > there is an interesting issue; > > if you poke a hole in your firewall for all the ports that are listening > > automatically..... you might as well not have a firewall in the first > > place... > > Well, not exactly. For instance, making it part of package management > policy means that runtime user-level compromises can't poke holes. It > could be tied to packages with recognised signatures. There's various > ways that it could be tied down in such a way that the firewall still > provides a benefit without leaving users in the current situation of "I > installed nss-mdns and I still can't look up my media server". Here's another variation on the popular AdamW theme "Wot Mandriva Does"... Mandriva has a firewall configuration tool with a neat feature. Ports can be associated with packages (in the code, not by the user). So, oh, say, the default port most bittorrent apps use (I forget what it is, 8881 or something) is associated with all the packages in Mandriva which do bittorrent. When you run the firewall configuration tool, if any of those packages is installed, a "Bittorrent" checkbox shows up in the 'dead simple' interface - just check the box and Bittorrent magically works! I used this for Windows Mobile sync stuff: WM sync requires something of an assortment of ports to be open in the firewall (four of five of 'em). So I just made the firewall config tool associate that set of ports with the libsynce package; if you have libsynce installed, the firewall config tool gives you a nice little checkbox (marked 'Windows Mobile Synchronization' or something) that opens all those ports for you. It's a rather old system that looks a bit hacky from one perspective, but seems to satisfy the requests in this thread rather well: it's very easy to use but doesn't just open the firewall automatically. Well, just an observation. I can provide a link to the code if anyone cares, but if Fedora wanted to do something similar it'd probably just get re-done from scratch, as MDV's code is of course in perl... -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
