On Wed, 2008-01-16 at 18:52 +0100, Thomas Woerner wrote: > Hello, > > here are the latest changes for system-config-firewall for F-9+: > > The usage of --port=<port>:<proto> for lokkit will open up this port and > not a service using this port anymore. To enable a service you have to > use the new --service=<name> option. There are no magic default open > services. You have to open up the services, you want to use. The interim > options --no-X; X in ["ipsec", "mdns", "ipp"] are obsolete now. > > To setup a new firewall, you can use the new --default=<name> > configuration option as a start: > server : ssh is enabled > desktop : ipsec, mdns and ipp are enabled > > These changes for lokkit also affect the kickstart firewall configuration. > > There is an utility to convert existing configurations, which will be > used automatically while updating the package. I don't think it's a good default to have IPP disabled. The cupsd process already binds to localhost by default, and only binds to '*' when a printer is explicitly shared by the user. As for RPC services binding to the IPP port instead -- well, this is a bug that needs to be fixed regardless. Whether it's done with SELinux policy, or with a port reservation daemon, or with portmap/glibc hacks, I don't mind. It would be differnet if there were a mechanism that system-config-printer could use to request that the IPP port be opened (with user approval), perhaps based on PolicyKit. The truth is that there is no such mechanism, even though I have repeatedly asked for it. (No, lokkit is not sufficient: it needs to be something that a non-root user application can request, as system-config-printer will not run as root in the future.) Until that mechanism is provided, blocking the IPP port will make the user experience of sharing printers quite a lot worse, and will probably lead to people disabling the firewall altogether in the same way they have previously disabled SELinux. Just my humble opinion, Tim. */
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
