Am 11.09.2013 23:18, schrieb Mateusz Marzantowicz: > On 11.09.2013 17:24, Daniel J Walsh wrote: >> On 09/11/2013 09:18 AM, Reindl Harald wrote: >>>> The problem with this solution is potential conflicts in port numbers and >>>> pps that just use random ports (Which I think should just not be allowed >>>> to use the service and would require to disable the firewall.) >> >>> the real problem i described above >> >>> as long the is no way to get *predictable* which service/process is aksing >>> for open a specific port and verify this on the system level this all is >>> completly pointless > > Interesting discussion but several things doesn't fit together for me: > > 1. It's firewall's job to manage and keep track of opened ports and > established connection so it also should be the piece of software that > asks user if he wants to allow network traffic or not. yes > 2. Why you say there is no way for firewall to know which app is > requesting specific port to be opened? There is a process name and path > and it could be identified. could - well, "could" is not a working implementation show a working implementation firewall means iptables yes, firewalld is nothing else than writing netfilter rules) > It's also easy to maintain database of most commonly used binaries and > ports that they'd like to open/close. If you don't trust binaries on > your system it means it's already been compromised and firewall is then > useless in case of *desktop features* most of the time you are speaking about not so well known ports like 80,443,445 and what i fight against is the proposal someone brought in this thread is that the *application defines* the message which the user confirms to open a port - from security point of view this is the most stupid way to go and will later end in a nightmare > 3. If you allow each app to ask for permission to open some port, it'll > certainly be done in thousand different ways and lack of consistency > isn't going to help users *what*? where do i say anything about 1000 different ways? the *opposite* is what i claim all the time must happen and what most people do not realize here is that the whole system (netfilter, network stack, applications) need to work tight together in the case of a request because the application layer still sends data and you have to consider queue packets and after open the firewall send them to the application or whatever you liked to do likely will fail so with the current state of play there is a lot of infrastructure missing for even loudly consider to implement "desktop firewalls" as knwon from the windows world and honestly before there are done mistakes i clearly say "do not touch it at all" simply because it worked over decades, it is still working and before now one comes out and says "but not comfortable enough" he should take a breath and realize that if it comes to security it works *always* against of comfort with *no* exceptions at all
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
