Re: F21 System Wide Change: Workstation: Disable firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 4/15/14, drago01 <drago01@xxxxxxxxx> wrote:
> On Tue, Apr 15, 2014 at 6:13 PM, Andrew Lutomirski <luto@xxxxxxx> wrote:
[cut]
>> I keep thinking that, if I had unlimited time, I'd write a totally
>> different kind of firewall.  It would allow some policy (userspace
>> daemon or rules loaded into the kernel) to determine when programs can
>> listen on what sockets and when connections can be accepted on those
>> sockets.
>
> We could do that today by using selinux and confine all programs into
> a domain that does not allow listing to any ports.
> Those that have to should get labeled by a different type.
>
> We could go as far as do that for unconfined_t as well and have the
> user chcon to a "allow_ports_prog_t" or something (and have a boolean
> to shut it off for everything).
>
> But I am not sure this is less of a hassle then a firewall though.

Agreed. Anyway, some users disable selinux because it get's in their
way, exactly as the firewall. Would be interesting to have some idea
of percentages for this (% disabled firewalls, %disabled selinux) out
there, but I presume it's hopeless.

Anyway, I get the feeling that the hunt for the "really proper" fix is
not that fruitful here. OTOH, if you limit the goals to fulfill the
basic statement to not let the default configuration of firewalld
block the functionality of the default Workstations applications it
should certainly be doable without writing a new firewall. Not the
most elegant, ultimate solution, but something which solves the
problem at hand.

--a
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux