Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Development (http://www.linux-archive.org/fedora-development/)
-   -   Firewall and user services that needs open ports (http://www.linux-archive.org/fedora-development/110872-firewall-user-services-needs-open-ports.html)

"Izhar Firdaus" 06-21-2008 12:16 PM

Firewall and user services that needs open ports
 
I needed to print through a network printer a few days ago. But it
doesn't just work. Seems like the firewall need to be stopped and
cups-config-daemon need to be started (not sure bout the latter, coz i
simply start all cups related services).

This raises a question, as Fedora turns on firewall by default, what's
the plan for certain user services that requires firewall to be turned
off (cups, gnome file sharing) ?? Something like PolicyKit but for
firewall??. Ubuntu took the easy way of simply disabling firewall, and
I doubt Fedora will follow that path.

--
Mohd Izhar Firdaus Bin Ismail
Amano Hikaru
天野晃 「あまの ひかる」
http://fedoraproject.org/wiki/MohdIzharFirdaus
http://blog.kagesenshi.org
92C2 B295 B40B B3DC 6866 5011 5BD2 584A 8A5D 7331

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Jeroen van Meeuwen 06-21-2008 07:34 PM

Firewall and user services that needs open ports
 
Izhar Firdaus wrote:

I needed to print through a network printer a few days ago. But it
doesn't just work. Seems like the firewall need to be stopped and
cups-config-daemon need to be started (not sure bout the latter, coz i
simply start all cups related services).

This raises a question, as Fedora turns on firewall by default, what's
the plan for certain user services that requires firewall to be turned
off (cups, gnome file sharing) ?? Something like PolicyKit but for
firewall??. Ubuntu took the easy way of simply disabling firewall, and
I doubt Fedora will follow that path.



This has been a discussion on some list some time ago... If memory
serves me well it was not becoming the default. I think the only move
forward to make is to;


1) invent a system that will do this kind of thing
2) do the work and test-case / show-case the system
3) make it available to users that would otherwise just shut down the
firewall entirely


-Jeroen

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Andrew Farris 06-22-2008 07:06 PM

Firewall and user services that needs open ports
 
Izhar Firdaus wrote:

I needed to print through a network printer a few days ago. But it
doesn't just work. Seems like the firewall need to be stopped and
cups-config-daemon need to be started (not sure bout the latter, coz i
simply start all cups related services).

This raises a question, as Fedora turns on firewall by default, what's
the plan for certain user services that requires firewall to be turned
off (cups, gnome file sharing) ?? Something like PolicyKit but for
firewall??. Ubuntu took the easy way of simply disabling firewall, and
I doubt Fedora will follow that path.


There is no service which requires a firewall to be turned off... that does not
exist. What they require is configuration to function with the firewall on.
Improvement of the firewall configuration tool would certainly be a good step
forward, and perhaps more automated configuration via upnp, but turning it off
is definitely the wrong move... no matter what service you're trying to get
through it.


--
Andrew Farris <lordmorgul@gmail.com> www.lordmorgul.net
gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB 5BD5 5F89 8E1B 8300 BF29

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Chuck Anderson 06-22-2008 08:53 PM

Firewall and user services that needs open ports
 
On Sun, Jun 22, 2008 at 12:06:44PM -0700, Andrew Farris wrote:
> Izhar Firdaus wrote:
> There is no service which requires a firewall to be turned off... that does
> not exist. What they require is configuration to function with the
> firewall on. Improvement of the firewall configuration tool would certainly
> be a good step forward, and perhaps more automated configuration via upnp,
> but turning it off is definitely the wrong move... no matter what service
> you're trying to get through it.

Why do we need a firewall when you can easily prevent services from
being accessed...just stop the service! Don't bind to the port, and
it won't be possible to connect to it.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

"Izhar Firdaus" 06-23-2008 01:56 AM

Firewall and user services that needs open ports
 
On Mon, Jun 23, 2008 at 3:06 AM, Andrew Farris <lordmorgul@gmail.com> wrote:
>
> There is no service which requires a firewall to be turned off... that does
> not exist. What they require is configuration to function with the firewall
> on. Improvement of the firewall configuration tool would certainly be a good
> step forward, and perhaps more automated configuration via upnp, but turning
> it off is definitely the wrong move... no matter what service you're trying
> to get through it.
>

err, well, yeah, - firewall turned off or port opened - .. I know I
can use netstat -nap to find what ports that i need to open, but
JoeRandom can't do that .. I didn't suggest turning off the firewall,
I really believe Fedora would never do that .. My question was, are
there any plans for handling such purpose .. because so far, the only
approach that i've seen is to disable the firewall - which is rather
an ugly move ..

On Mon, Jun 23, 2008 at 4:53 AM, Chuck Anderson <cra@wpi.edu> wrote:
> Why do we need a firewall when you can easily prevent services from
> being accessed...just stop the service! Don't bind to the port, and
> it won't be possible to connect to it.
>

because JoeRandom don't know what daemon to turn on, and what daemon
to turn off.. he will turn on whatever daemon the found/install .. and
because binding port > 1024 doesnt need root, who knows what
(malicious) software might be utilizing those high ports ..

--
Mohd Izhar Firdaus Bin Ismail
Amano Hikaru
天野晃 「あまの ひかる」
http://fedoraproject.org/wiki/MohdIzharFirdaus
http://blog.kagesenshi.org
92C2 B295 B40B B3DC 6866 5011 5BD2 584A 8A5D 7331

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

"Callum Lerwick" 06-23-2008 06:37 AM

Firewall and user services that needs open ports
 
On Sun, Jun 22, 2008 at 3:53 PM, Chuck Anderson <cra@wpi.edu> wrote:

On Sun, Jun 22, 2008 at 12:06:44PM -0700, Andrew Farris wrote:

> Izhar Firdaus wrote:

> There is no service which requires a firewall to be turned off... that does

> not exist. *What they require is configuration to function with the

> firewall on. Improvement of the firewall configuration tool would certainly

> be a good step forward, and perhaps more automated configuration via upnp,

> but turning it off is definitely the wrong move... no matter what service

> you're trying to get through it.



Why do we need a firewall when you can easily prevent services from

being accessed...just stop the service! *Don't bind to the port, and

it won't be possible to connect to it.
Yes, the correct thing to do for local security is use something like selinux to prevent things from binding to interfaces/ports they shouldn't be binding to in the first place. Using iptables for this is a completely unsustainable hack. iptables firewalling is for machines that route packets to other machines.


Unfortunately for some reason network devices are exempt from the "everything is a file" architecture thus don't recieve the benefit of the pre-existing filesystem access control architecture.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

"Nicolas Mailhot" 06-23-2008 07:58 AM

Firewall and user services that needs open ports
 
Le Lun 23 juin 2008 08:37, Callum Lerwick a crit :

> Yes, the correct thing to do for local security is use something like
> selinux to prevent things from binding to interfaces/ports they
> shouldn't be
> binding to in the first place. Using iptables for this is a completely
> unsustainable hack. iptables firewalling is for machines that route
> packets to other machines.

Iptables is actually wonderfully simple and transparent to normal
users, unlike apps that do black magic using a system bus one can't
inspect, a registry system full of rotten undocumented keys, and
massive use of bandaids (PA startup I'm thinking about you).

You'll take iptables out of my system the day I can easily check the
spaguetti pile userspace is those days is not misbehaving. And no
current selinux is not an "easy to inspect" system.

--
Nicolas Mailhot

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

"Colin Walters" 06-23-2008 02:17 PM

Firewall and user services that needs open ports
 
On Mon, Jun 23, 2008 at 3:58 AM, Nicolas Mailhot <nicolas.mailhot@laposte.net> wrote:



Le Lun 23 juin 2008 08:37, Callum Lerwick a crit :



> Yes, the correct thing to do for local security is use something like

> selinux to prevent things from binding to interfaces/ports they

> shouldn't be

> binding to in the first place. Using iptables for this is a completely

> unsustainable hack. iptables firewalling is for machines that route

> packets to other machines.



Iptables is actually wonderfully simple and transparent to normal

users, unlike apps that do black magic using a system bus one can't

inspect,
dbus-monitor --system
d-feet
*

You'll take iptables out of my system the day I can easily check the

spaguetti pile userspace is those days is not misbehaving.
netstat -ln


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Les Mikesell 06-23-2008 03:15 PM

Firewall and user services that needs open ports
 
Callum Lerwick wrote:



Why do we need a firewall when you can easily prevent services from
being accessed...just stop the service! Don't bind to the port, and
it won't be possible to connect to it.


Yes, the correct thing to do for local security is use something like
selinux to prevent things from binding to interfaces/ports they
shouldn't be binding to in the first place.


But what you usually want to control are the ranges of
source/destination addresses that are permitted.


Using iptables for this is a
completely unsustainable hack. iptables firewalling is for machines that
route packets to other machines.


Unsustainable? But it is what you need to do, not kill functionality
completely.


Unfortunately for some reason network devices are exempt from the
"everything is a file" architecture thus don't recieve the benefit of
the pre-existing filesystem access control architecture.


Yes, this seems like a bizarre design decision in Linux but
realistically, everything needs network access to be useful at all these
days and what you need to control is where on the network something
can/can't connect.


--
Les Mikesell
lesmikesell@gmail.com

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

yersinia 06-23-2008 03:48 PM

Firewall and user services that needs open ports
 
The MLS Selinux policy go beyond* a* "everything a* file" acl and* offer* much more protection, at the expense di some
complexity

http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/#more-19


Also james morris had post some useful docu on the subject in his blog.

Regards

On Mon, Jun 23, 2008 at 5:15 PM, Les Mikesell <lesmikesell@gmail.com> wrote:

Callum Lerwick wrote:






* *Why do we need a firewall when you can easily prevent services from

* *being accessed...just stop the service! *Don't bind to the port, and

* *it won't be possible to connect to it.





Yes, the correct thing to do for local security is use something like selinux to prevent things from binding to interfaces/ports they shouldn't be binding to in the first place.




But what you usually want to control are the ranges of source/destination addresses that are permitted.




Using iptables for this is a completely unsustainable hack. iptables firewalling is for machines that route packets to other machines.




Unsustainable? *But it is what you need to do, not kill functionality completely.




Unfortunately for some reason network devices are exempt from the "everything is a file" architecture thus don't recieve the benefit of the pre-existing filesystem access control architecture.




Yes, this seems like a bizarre design decision in Linux but realistically, everything needs network access to be useful at all these days and what you need to control is where on the network something can/can't connect.




--

*Les Mikesell

* lesmikesell@gmail.com



--

fedora-devel-list mailing list

fedora-devel-list@redhat.com

https://www.redhat.com/mailman/listinfo/fedora-devel-list



--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list


All times are GMT. The time now is 10:00 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.