Re: Fedora Workstation and disabled by default firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/31/19 6:45 PM, John Harris wrote:
> On Friday, August 30, 2019 4:33:11 AM MST Björn Persson wrote:
>> John Harris wrote:
>>> Thing is, binding a port and expecting it to be open to every network
>>> interface you've got are two very different things.
>> Once again John Harris is completely wrong. The bind system call is
>> precisely how a program specifies which network interfaces it wants to
>> open a socket to. A program that calls bind with IN6ADDR_ANY_INIT or
>> INADDR_ANY and a specific port number expects that port to be open to
>> every network interface the computer has.
>>
>> A program that doesn't intend to listen on every network interface will
>> bind to an IP address assigned to one interface to listen only on that
>> network, or maybe a localhost address to listen only on the loopback
>> interface. The port and the network interface are specified together in
>> a single sockaddr object passed to a single system call, so it's very
>> much the same thing.
>>
>> Björn Persson
> This is a bit hostile, and certainly comes off as passive aggressive. When you 
> bind a port, it isn't open on every interface unless you specify that, you're 
> partially correct. Many programs, however, bind all interfaces regardless. For 
> example, dnsmasq does this by default, and many other programs do it without a 
> configuration option on ports. So, while the software may be open to all ports 
> because of the code itself, that is often not the intention. Many programs 
> just bind all interfaces, and expect that you'll configure your firewall to 
> whatever should be able to access the network service it's serving.
>
> Programs that don't intend to listen on every interface generally don't bind 
> only to one interface, though they should. Especially not proprietary 
> software. If an interface is not specified, you get all interfaces bound.
>
> binding a port has nothing to do with opening a socket to something else. In 
> nearly all cases, it's used to open your system to incoming connections.

Additionally, binding to a specific address does not handle dynamic
networks very well. Programs would need to be reconfigured and restarted
to handle the machine being connected to a different network, or an IP
address change on an existing network. Binding to null address and
taking advantage of firewall zones works well for situations where the
program should be accessible on one network (or one class of networks)
but not another (even when connected to both networks simultaneously).
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux