Re: Firewall blocking desktop features

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 09/11/2013 06:30 AM, Alec Leamas wrote:

On 2013-09-11 12:02, Nicolas Mailhot wrote:

Le Mer 11 septembre 2013 11:23, Alec Leamas a écrit :

On 2013-09-11 11:11, Heiko Adams wrote:

Am 11.09.2013 10:41, schrieb Ankur Sinha:

- These software inform and take permission from the user before
opening
ports in the firewall.

IMHO it should be the job of the firewall to inform the user about an
application that want's to open one or more ports and ask for permission 
to open that ports either temporary for the current session or
permanent.



Is this a good idea? The firewall just knows aboyt an attempt to use a
specific port. It does not know which application which *really* is
trying to use that port. It could certainly make an educated guess, but
that's just not good enough in this context IMHO.

OTOH, the application knows what ports it needs (even some which just
might be used later) and can also identify itself to the user. Seems
more reasonable to me.

The application can lie and propose to open X and then when user says ok
open Y. The prompt really needs to be initiated firewall-side
True. But isn't there a lot to do if we should safefuard against local, lying applications? Well, we have the precompiled, proprietary ones...
Even if an app isn't malware, most applications are just not designed for a scenario where the user is prompted to punch o hole in the firewall as soon as an attempt is done. There might be surprises down this road.
That said, I see your point. Seems to boil down to that only the application knows which port(s) to open and why, whereas only the firewall can guarantee that it actually opens the ports requested by user instead of something else. 

--alec
Application should request the ports to be opened and the firewalld layer should then confirm with the user stating which ports and which app requested said ports. The app can't lie if the firewall layer is the one asking for confirmation. 

--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux