Firewall and user services that needs open ports
I needed to print through a network printer a few days ago. But it
doesn't just work. Seems like the firewall need to be stopped and cups-config-daemon need to be started (not sure bout the latter, coz i simply start all cups related services). This raises a question, as Fedora turns on firewall by default, what's the plan for certain user services that requires firewall to be turned off (cups, gnome file sharing) ?? Something like PolicyKit but for firewall??. Ubuntu took the easy way of simply disabling firewall, and I doubt Fedora will follow that path. -- Mohd Izhar Firdaus Bin Ismail Amano Hikaru 天野晃 「あまの ひかる」 http://fedoraproject.org/wiki/MohdIzharFirdaus http://blog.kagesenshi.org 92C2 B295 B40B B3DC 6866 5011 5BD2 584A 8A5D 7331 -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list |
Firewall and user services that needs open ports
Izhar Firdaus wrote:
I needed to print through a network printer a few days ago. But it doesn't just work. Seems like the firewall need to be stopped and cups-config-daemon need to be started (not sure bout the latter, coz i simply start all cups related services). This raises a question, as Fedora turns on firewall by default, what's the plan for certain user services that requires firewall to be turned off (cups, gnome file sharing) ?? Something like PolicyKit but for firewall??. Ubuntu took the easy way of simply disabling firewall, and I doubt Fedora will follow that path. This has been a discussion on some list some time ago... If memory serves me well it was not becoming the default. I think the only move forward to make is to; 1) invent a system that will do this kind of thing 2) do the work and test-case / show-case the system 3) make it available to users that would otherwise just shut down the firewall entirely -Jeroen -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list |
Firewall and user services that needs open ports
Izhar Firdaus wrote:
I needed to print through a network printer a few days ago. But it doesn't just work. Seems like the firewall need to be stopped and cups-config-daemon need to be started (not sure bout the latter, coz i simply start all cups related services). This raises a question, as Fedora turns on firewall by default, what's the plan for certain user services that requires firewall to be turned off (cups, gnome file sharing) ?? Something like PolicyKit but for firewall??. Ubuntu took the easy way of simply disabling firewall, and I doubt Fedora will follow that path. There is no service which requires a firewall to be turned off... that does not exist. What they require is configuration to function with the firewall on. Improvement of the firewall configuration tool would certainly be a good step forward, and perhaps more automated configuration via upnp, but turning it off is definitely the wrong move... no matter what service you're trying to get through it. -- Andrew Farris <lordmorgul@gmail.com> www.lordmorgul.net gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB 5BD5 5F89 8E1B 8300 BF29 -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list |
Firewall and user services that needs open ports
On Sun, Jun 22, 2008 at 12:06:44PM -0700, Andrew Farris wrote:
> Izhar Firdaus wrote: > There is no service which requires a firewall to be turned off... that does > not exist. What they require is configuration to function with the > firewall on. Improvement of the firewall configuration tool would certainly > be a good step forward, and perhaps more automated configuration via upnp, > but turning it off is definitely the wrong move... no matter what service > you're trying to get through it. Why do we need a firewall when you can easily prevent services from being accessed...just stop the service! Don't bind to the port, and it won't be possible to connect to it. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list |
Firewall and user services that needs open ports
On Mon, Jun 23, 2008 at 3:06 AM, Andrew Farris <lordmorgul@gmail.com> wrote:
> > There is no service which requires a firewall to be turned off... that does > not exist. What they require is configuration to function with the firewall > on. Improvement of the firewall configuration tool would certainly be a good > step forward, and perhaps more automated configuration via upnp, but turning > it off is definitely the wrong move... no matter what service you're trying > to get through it. > err, well, yeah, - firewall turned off or port opened - .. I know I can use netstat -nap to find what ports that i need to open, but JoeRandom can't do that .. I didn't suggest turning off the firewall, I really believe Fedora would never do that .. My question was, are there any plans for handling such purpose .. because so far, the only approach that i've seen is to disable the firewall - which is rather an ugly move .. On Mon, Jun 23, 2008 at 4:53 AM, Chuck Anderson <cra@wpi.edu> wrote: > Why do we need a firewall when you can easily prevent services from > being accessed...just stop the service! Don't bind to the port, and > it won't be possible to connect to it. > because JoeRandom don't know what daemon to turn on, and what daemon to turn off.. he will turn on whatever daemon the found/install .. and because binding port > 1024 doesnt need root, who knows what (malicious) software might be utilizing those high ports .. -- Mohd Izhar Firdaus Bin Ismail Amano Hikaru 天野晃 「あまの ひかる」 http://fedoraproject.org/wiki/MohdIzharFirdaus http://blog.kagesenshi.org 92C2 B295 B40B B3DC 6866 5011 5BD2 584A 8A5D 7331 -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list |
Firewall and user services that needs open ports
On Sun, Jun 22, 2008 at 3:53 PM, Chuck Anderson <cra@wpi.edu> wrote:
On Sun, Jun 22, 2008 at 12:06:44PM -0700, Andrew Farris wrote: > Izhar Firdaus wrote: > There is no service which requires a firewall to be turned off... that does > not exist. *What they require is configuration to function with the > firewall on. Improvement of the firewall configuration tool would certainly > be a good step forward, and perhaps more automated configuration via upnp, > but turning it off is definitely the wrong move... no matter what service > you're trying to get through it. Why do we need a firewall when you can easily prevent services from being accessed...just stop the service! *Don't bind to the port, and it won't be possible to connect to it. Yes, the correct thing to do for local security is use something like selinux to prevent things from binding to interfaces/ports they shouldn't be binding to in the first place. Using iptables for this is a completely unsustainable hack. iptables firewalling is for machines that route packets to other machines. Unfortunately for some reason network devices are exempt from the "everything is a file" architecture thus don't recieve the benefit of the pre-existing filesystem access control architecture. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list |
Firewall and user services that needs open ports
Le Lun 23 juin 2008 08:37, Callum Lerwick a crit :
> Yes, the correct thing to do for local security is use something like > selinux to prevent things from binding to interfaces/ports they > shouldn't be > binding to in the first place. Using iptables for this is a completely > unsustainable hack. iptables firewalling is for machines that route > packets to other machines. Iptables is actually wonderfully simple and transparent to normal users, unlike apps that do black magic using a system bus one can't inspect, a registry system full of rotten undocumented keys, and massive use of bandaids (PA startup I'm thinking about you). You'll take iptables out of my system the day I can easily check the spaguetti pile userspace is those days is not misbehaving. And no current selinux is not an "easy to inspect" system. -- Nicolas Mailhot -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list |
Firewall and user services that needs open ports
On Mon, Jun 23, 2008 at 3:58 AM, Nicolas Mailhot <nicolas.mailhot@laposte.net> wrote:
Le Lun 23 juin 2008 08:37, Callum Lerwick a crit : > Yes, the correct thing to do for local security is use something like > selinux to prevent things from binding to interfaces/ports they > shouldn't be > binding to in the first place. Using iptables for this is a completely > unsustainable hack. iptables firewalling is for machines that route > packets to other machines. Iptables is actually wonderfully simple and transparent to normal users, unlike apps that do black magic using a system bus one can't inspect, dbus-monitor --system d-feet * You'll take iptables out of my system the day I can easily check the spaguetti pile userspace is those days is not misbehaving. netstat -ln -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list |
Firewall and user services that needs open ports
Callum Lerwick wrote:
Why do we need a firewall when you can easily prevent services from being accessed...just stop the service! Don't bind to the port, and it won't be possible to connect to it. Yes, the correct thing to do for local security is use something like selinux to prevent things from binding to interfaces/ports they shouldn't be binding to in the first place. But what you usually want to control are the ranges of source/destination addresses that are permitted. Using iptables for this is a completely unsustainable hack. iptables firewalling is for machines that route packets to other machines. Unsustainable? But it is what you need to do, not kill functionality completely. Unfortunately for some reason network devices are exempt from the "everything is a file" architecture thus don't recieve the benefit of the pre-existing filesystem access control architecture. Yes, this seems like a bizarre design decision in Linux but realistically, everything needs network access to be useful at all these days and what you need to control is where on the network something can/can't connect. -- Les Mikesell lesmikesell@gmail.com -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list |
Firewall and user services that needs open ports
The MLS Selinux policy go beyond* a* "everything a* file" acl and* offer* much more protection, at the expense di some
complexity http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/#more-19 Also james morris had post some useful docu on the subject in his blog. Regards On Mon, Jun 23, 2008 at 5:15 PM, Les Mikesell <lesmikesell@gmail.com> wrote: Callum Lerwick wrote: * *Why do we need a firewall when you can easily prevent services from * *being accessed...just stop the service! *Don't bind to the port, and * *it won't be possible to connect to it. Yes, the correct thing to do for local security is use something like selinux to prevent things from binding to interfaces/ports they shouldn't be binding to in the first place. But what you usually want to control are the ranges of source/destination addresses that are permitted. Using iptables for this is a completely unsustainable hack. iptables firewalling is for machines that route packets to other machines. Unsustainable? *But it is what you need to do, not kill functionality completely. Unfortunately for some reason network devices are exempt from the "everything is a file" architecture thus don't recieve the benefit of the pre-existing filesystem access control architecture. Yes, this seems like a bizarre design decision in Linux but realistically, everything needs network access to be useful at all these days and what you need to control is where on the network something can/can't connect. -- *Les Mikesell * lesmikesell@gmail.com -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list |
| All times are GMT. The time now is 09:30 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.