Re: firewall changes for F-9+

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2008-01-16 at 18:52 +0100, Thomas Woerner wrote:
> Hello,
> 
> here are the latest changes for system-config-firewall for F-9+:
> 
> The usage of --port=<port>:<proto> for lokkit will open up this port and 
> not a service using this port anymore. To enable a service you have to 
> use the new --service=<name> option. There are no magic default open 
> services. You have to open up the services, you want to use. The interim 
> options --no-X; X in ["ipsec", "mdns", "ipp"] are obsolete now.
> 
> To setup a new firewall, you can use the new --default=<name> 
> configuration option as a start:
>    server  : ssh is enabled
>    desktop : ipsec, mdns and ipp are enabled
> 
> These changes for lokkit also affect the kickstart firewall configuration.
> 
> There is an utility to convert existing configurations, which will be 
> used automatically while updating the package.

I don't think it's a good default to have IPP disabled.  The cupsd
process already binds to localhost by default, and only binds to '*'
when a printer is explicitly shared by the user.

As for RPC services binding to the IPP port instead -- well, this is a
bug that needs to be fixed regardless.  Whether it's done with SELinux
policy, or with a port reservation daemon, or with portmap/glibc hacks,
I don't mind.

It would be differnet if there were a mechanism that
system-config-printer could use to request that the IPP port be opened
(with user approval), perhaps based on PolicyKit.  The truth is that
there is no such mechanism, even though I have repeatedly asked for it.
(No, lokkit is not sufficient: it needs to be something that a non-root
user application can request, as system-config-printer will not run as
root in the future.)

Until that mechanism is provided, blocking the IPP port will make the
user experience of sharing printers quite a lot worse, and will probably
lead to people disabling the firewall altogether in the same way they
have previously disabled SELinux.

Just my humble opinion,
Tim.
*/

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux