Re: Firewall settings unworkable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2010-10-06 at 19:31 +0100, Richard W.M. Jones wrote:
> Seems quite complex.  What's wrong with a directory:
> 
>   /etc/iptables.d/
> 
> where RPMs like libvirt just drop the required additional rules (in a
> separate chain if you like) and restart the iptables service?  It's
> low-tech but simple and it's all that libvirt needs.

Other applications need more than that.

For example, when CUPS wants to detect network printers using SNMP, a
query is sent as a UDP packet to the broadcast address(es) from a local
unprivileged port to the remote SNMP port, 161.  It needs to be able to
hear replies.

What I was saying in my original post is that there is no simple
iptables rule that can be written today to express that, aside from
simply allowing all UDP packets to unprivileged ports, obviously not
something we want to do.

Ideally the kernel would provide a way to express this using a conntrack
module.  Until that time, however, being able to do this would suffice:

* bind() to get a free local unprivileged port

* use D-Bus to tell the firewall to allow UDP sport:161 dport:$port for
a short time

* send query

* listen for responses

* (optionally) use D-Bus to tell the firewall it can discard that rule
now

Until bind() is called, no-one knows what local port to allow UDP
packets in on.

Tim.
*/

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux