On Thu, 14.01.10 09:16, Colin Guthrie (gmane at colin.guthr.ie) wrote: > > 'Twas brillig, and Kevin Fox at 14/01/10 00:43 did gyre and gimble: > > devices", why not "Poke hole in local firewall"? > > Is there a standard way to do this? I guess running ip[6]tables directly > would work if you had root permissions.... is there some kind of > framework (via presumably policykit) to achieve this? Meh. This is precisely why I think that "personal" firewalls are madness. If you allow applications to poke holes into the firewall whenever they want them why have the firewall in the first place? An app normally just calls listen() to accept connections on a TCP port. All those stupid schemes where apps are now supposed to ask for an additional hole in the fw simply make this more complex so that it becomes listen()+some_stupid_complex_dbus_call() or suchlike. And the effect will be exactly the same: when the app wants the port it gets it. Say NO! to personal firewalls. It creates a fake sense of security and adds complexity and error sources. If you want to regulate which process gets to listen on the network then use a more useful security system, such as SELinux or suchlike. But a firewall is simply not suitable. I know that admins love their firewalls, but uh, just because that is a tool they understand they shouldn't extrapolate it is useful for more than let's say network border control and maybe laptop-in-a-internet-cafe profile lockdown. Anyway, this is mostly off-topic. Lennart -- Lennart Poettering Red Hat, Inc. lennart [at] poettering [dot] net http://0pointer.net/lennart/ GnuPG 0x1A015CC4
