On 04/16/2014 09:32 AM, Simo Sorce wrote: > On Wed, 2014-04-16 at 05:40 -0700, Daniel J Walsh wrote: >> On 04/15/2014 09:31 AM, Simo Sorce wrote: >>> On Tue, 2014-04-15 at 09:13 -0700, Andrew Lutomirski wrote: >>>> I keep thinking that, if I had unlimited time, I'd write a totally >>>> different kind of firewall. It would allow some policy (userspace >>>> daemon or rules loaded into the kernel) to determine when programs can >>>> listen on what sockets and when connections can be accepted on those >>>> sockets. This avoids the attack surface of iptables, it will be >>>> faster, it can cause programs to actually report errors if you want >>>> them to, and it could be a lot easier to configure. >>>> >>>> Wouldn't it be great if, when you start some program that wants to >>>> listen globally, your system could prompt you and ask whether it was >>>> okay, even if that program didn't know about firewalld? >>>> >>> I think what you are describing could be probably realized with SELinux >>> today, just with a special setroubleshoot frontend that catches the AVC >>> when the service tries to listen and ask the user if he wants to allow >>> it. >>> >>> However this would still not be completely sufficient as you completely >>> lack any context about what network you are operating on. >>> >>> The firewall's purpose is to block access to local services on bad >>> networks too, it is not a binary open/close equation when you have >>> machines (laptops) that roam across a variety of networks. >>> >>> Simo. >>> >> Nothing worse then asking Users Security related questions about opening >> firewall ports. >> Users will just answer yes, whether or not they are being hacked. >> >> firefox wants to listen on port 9900 in order to see this page, OK? > > Which is not what I proposed Dan. > > I in fact said we should *NOT* ask per application. > > What we should ask is one single question, upon connecting to an unknown > network: "Is this network trusted ?" > > If yes you open up to the local network. If no you keep ports not > accessible on that network. > > We can hint that a cafe wifi is usually not trusted and users should say > no, or perhaps we do not even ask and default to untrusted on open wifi > networks, and only ask on secured networks (this would be my > preference). Didn't mean to accuse you of saying that. I do like the idea of asking if you are on a "trusted" network. >> %99.999 will answer yes, and be aggravated. >> >> Setting up a rule that says app XYZ is allowed to open certain ports >> would be a great step forward. But there would need to be a provable >> way to guarantee that only the XYZ application is able to open those >> ports. You could do this with SELinux, but we would need to transition >> user apps to certain domains, but we would need to run users with a >> confined domain, and stop disabling SELinux... > I think we can do this in steps, I certainly agree with the long term > goal. > > Simo. > -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
