-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/11/2013 09:18 AM, Reindl Harald wrote: > > > Am 11.09.2013 15:05, schrieb Daniel J Walsh: >> On 09/11/2013 08:56 AM, Alec Leamas wrote: >>> Although this would work for both our wifes I'd hate it myself. There >>> need to be some way in the interface to understand what's *really* >>> going on here, the ports opened, triggers etc. But not unless >>> requested, agreed. >> >> My idea is that Samba registers something with firewalld that says here >> is the prompt to show if a process in user space says to open port 2345. > > very very bad idea! > In a perfect world I agree. Sadly we need something better then we currently have. Microsoft tried the tell the user about every port connection and this does not work, because users have no idea. I am trying to find some happy ground between, telling everyone you have to disable firewall to do cool stuff on the desktop. If a random prompt came up that says "Do you want to share FOOBAR on the internet"? A non educated user could have a chance of saying No? If it kept on happening, he might even ask someone why his machine is acting weird. But if he just said setup sharing of FOOBAR he would understand this and make the correct decision. We have a tool that could be used for labeling the processes that are asking, SELinux, but we would have to eliminate the unconfined_t domain :^(. > that means if the is no samba running and whatever harmful process needs to > open incoming connections it would trigger the promt for samba > > these is the way to go only if you want to design a security nightmare > >> The problem with this solution is potential conflicts in port numbers and >> pps that just use random ports (Which I think should just not be allowed >> to use the service and would require to disable the firewall.) > > the real problem i described above > > as long the is no way to get *predictable* which service/process is aksing > for open a specific port and verify this on the system level this all is > completly pointless > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIwi0QACgkQrlYvE4MpobOOsgCeNKvHYntJyqHecZ3w8SUdk37n +koAn3/y/dI73xIT428bj/23Ryzl/CSK =h307 -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct