FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 06-21-2008, 12:16 PM
"Izhar Firdaus"
 
Default Firewall and user services that needs open ports

I needed to print through a network printer a few days ago. But it
doesn't just work. Seems like the firewall need to be stopped and
cups-config-daemon need to be started (not sure bout the latter, coz i
simply start all cups related services).

This raises a question, as Fedora turns on firewall by default, what's
the plan for certain user services that requires firewall to be turned
off (cups, gnome file sharing) ?? Something like PolicyKit but for
firewall??. Ubuntu took the easy way of simply disabling firewall, and
I doubt Fedora will follow that path.

--
Mohd Izhar Firdaus Bin Ismail
Amano Hikaru
天野晃 「あまの ひかる」
http://fedoraproject.org/wiki/MohdIzharFirdaus
http://blog.kagesenshi.org
92C2 B295 B40B B3DC 6866 5011 5BD2 584A 8A5D 7331

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 06-21-2008, 07:34 PM
Jeroen van Meeuwen
 
Default Firewall and user services that needs open ports

Izhar Firdaus wrote:

I needed to print through a network printer a few days ago. But it
doesn't just work. Seems like the firewall need to be stopped and
cups-config-daemon need to be started (not sure bout the latter, coz i
simply start all cups related services).

This raises a question, as Fedora turns on firewall by default, what's
the plan for certain user services that requires firewall to be turned
off (cups, gnome file sharing) ?? Something like PolicyKit but for
firewall??. Ubuntu took the easy way of simply disabling firewall, and
I doubt Fedora will follow that path.



This has been a discussion on some list some time ago... If memory
serves me well it was not becoming the default. I think the only move
forward to make is to;


1) invent a system that will do this kind of thing
2) do the work and test-case / show-case the system
3) make it available to users that would otherwise just shut down the
firewall entirely


-Jeroen

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 06-22-2008, 07:06 PM
Andrew Farris
 
Default Firewall and user services that needs open ports

Izhar Firdaus wrote:

I needed to print through a network printer a few days ago. But it
doesn't just work. Seems like the firewall need to be stopped and
cups-config-daemon need to be started (not sure bout the latter, coz i
simply start all cups related services).

This raises a question, as Fedora turns on firewall by default, what's
the plan for certain user services that requires firewall to be turned
off (cups, gnome file sharing) ?? Something like PolicyKit but for
firewall??. Ubuntu took the easy way of simply disabling firewall, and
I doubt Fedora will follow that path.


There is no service which requires a firewall to be turned off... that does not
exist. What they require is configuration to function with the firewall on.
Improvement of the firewall configuration tool would certainly be a good step
forward, and perhaps more automated configuration via upnp, but turning it off
is definitely the wrong move... no matter what service you're trying to get
through it.


--
Andrew Farris <lordmorgul@gmail.com> www.lordmorgul.net
gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB 5BD5 5F89 8E1B 8300 BF29

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 06-22-2008, 08:53 PM
Chuck Anderson
 
Default Firewall and user services that needs open ports

On Sun, Jun 22, 2008 at 12:06:44PM -0700, Andrew Farris wrote:
> Izhar Firdaus wrote:
> There is no service which requires a firewall to be turned off... that does
> not exist. What they require is configuration to function with the
> firewall on. Improvement of the firewall configuration tool would certainly
> be a good step forward, and perhaps more automated configuration via upnp,
> but turning it off is definitely the wrong move... no matter what service
> you're trying to get through it.

Why do we need a firewall when you can easily prevent services from
being accessed...just stop the service! Don't bind to the port, and
it won't be possible to connect to it.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 06-23-2008, 01:56 AM
"Izhar Firdaus"
 
Default Firewall and user services that needs open ports

On Mon, Jun 23, 2008 at 3:06 AM, Andrew Farris <lordmorgul@gmail.com> wrote:
>
> There is no service which requires a firewall to be turned off... that does
> not exist. What they require is configuration to function with the firewall
> on. Improvement of the firewall configuration tool would certainly be a good
> step forward, and perhaps more automated configuration via upnp, but turning
> it off is definitely the wrong move... no matter what service you're trying
> to get through it.
>

err, well, yeah, - firewall turned off or port opened - .. I know I
can use netstat -nap to find what ports that i need to open, but
JoeRandom can't do that .. I didn't suggest turning off the firewall,
I really believe Fedora would never do that .. My question was, are
there any plans for handling such purpose .. because so far, the only
approach that i've seen is to disable the firewall - which is rather
an ugly move ..

On Mon, Jun 23, 2008 at 4:53 AM, Chuck Anderson <cra@wpi.edu> wrote:
> Why do we need a firewall when you can easily prevent services from
> being accessed...just stop the service! Don't bind to the port, and
> it won't be possible to connect to it.
>

because JoeRandom don't know what daemon to turn on, and what daemon
to turn off.. he will turn on whatever daemon the found/install .. and
because binding port > 1024 doesnt need root, who knows what
(malicious) software might be utilizing those high ports ..

--
Mohd Izhar Firdaus Bin Ismail
Amano Hikaru
天野晃 「あまの ひかる」
http://fedoraproject.org/wiki/MohdIzharFirdaus
http://blog.kagesenshi.org
92C2 B295 B40B B3DC 6866 5011 5BD2 584A 8A5D 7331

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 06-23-2008, 06:37 AM
"Callum Lerwick"
 
Default Firewall and user services that needs open ports

On Sun, Jun 22, 2008 at 3:53 PM, Chuck Anderson <cra@wpi.edu> wrote:

On Sun, Jun 22, 2008 at 12:06:44PM -0700, Andrew Farris wrote:

> Izhar Firdaus wrote:

> There is no service which requires a firewall to be turned off... that does

> not exist. *What they require is configuration to function with the

> firewall on. Improvement of the firewall configuration tool would certainly

> be a good step forward, and perhaps more automated configuration via upnp,

> but turning it off is definitely the wrong move... no matter what service

> you're trying to get through it.



Why do we need a firewall when you can easily prevent services from

being accessed...just stop the service! *Don't bind to the port, and

it won't be possible to connect to it.
Yes, the correct thing to do for local security is use something like selinux to prevent things from binding to interfaces/ports they shouldn't be binding to in the first place. Using iptables for this is a completely unsustainable hack. iptables firewalling is for machines that route packets to other machines.


Unfortunately for some reason network devices are exempt from the "everything is a file" architecture thus don't recieve the benefit of the pre-existing filesystem access control architecture.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 06-23-2008, 07:58 AM
"Nicolas Mailhot"
 
Default Firewall and user services that needs open ports

Le Lun 23 juin 2008 08:37, Callum Lerwick a crit :

> Yes, the correct thing to do for local security is use something like
> selinux to prevent things from binding to interfaces/ports they
> shouldn't be
> binding to in the first place. Using iptables for this is a completely
> unsustainable hack. iptables firewalling is for machines that route
> packets to other machines.

Iptables is actually wonderfully simple and transparent to normal
users, unlike apps that do black magic using a system bus one can't
inspect, a registry system full of rotten undocumented keys, and
massive use of bandaids (PA startup I'm thinking about you).

You'll take iptables out of my system the day I can easily check the
spaguetti pile userspace is those days is not misbehaving. And no
current selinux is not an "easy to inspect" system.

--
Nicolas Mailhot

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 06-23-2008, 02:17 PM
"Colin Walters"
 
Default Firewall and user services that needs open ports

On Mon, Jun 23, 2008 at 3:58 AM, Nicolas Mailhot <nicolas.mailhot@laposte.net> wrote:



Le Lun 23 juin 2008 08:37, Callum Lerwick a crit :



> Yes, the correct thing to do for local security is use something like

> selinux to prevent things from binding to interfaces/ports they

> shouldn't be

> binding to in the first place. Using iptables for this is a completely

> unsustainable hack. iptables firewalling is for machines that route

> packets to other machines.



Iptables is actually wonderfully simple and transparent to normal

users, unlike apps that do black magic using a system bus one can't

inspect,
dbus-monitor --system
d-feet
*

You'll take iptables out of my system the day I can easily check the

spaguetti pile userspace is those days is not misbehaving.
netstat -ln


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 06-23-2008, 03:15 PM
Les Mikesell
 
Default Firewall and user services that needs open ports

Callum Lerwick wrote:



Why do we need a firewall when you can easily prevent services from
being accessed...just stop the service! Don't bind to the port, and
it won't be possible to connect to it.


Yes, the correct thing to do for local security is use something like
selinux to prevent things from binding to interfaces/ports they
shouldn't be binding to in the first place.


But what you usually want to control are the ranges of
source/destination addresses that are permitted.


Using iptables for this is a
completely unsustainable hack. iptables firewalling is for machines that
route packets to other machines.


Unsustainable? But it is what you need to do, not kill functionality
completely.


Unfortunately for some reason network devices are exempt from the
"everything is a file" architecture thus don't recieve the benefit of
the pre-existing filesystem access control architecture.


Yes, this seems like a bizarre design decision in Linux but
realistically, everything needs network access to be useful at all these
days and what you need to control is where on the network something
can/can't connect.


--
Les Mikesell
lesmikesell@gmail.com

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 06-23-2008, 03:48 PM
yersinia
 
Default Firewall and user services that needs open ports

The MLS Selinux policy go beyond* a* "everything a* file" acl and* offer* much more protection, at the expense di some
complexity

http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/#more-19


Also james morris had post some useful docu on the subject in his blog.

Regards

On Mon, Jun 23, 2008 at 5:15 PM, Les Mikesell <lesmikesell@gmail.com> wrote:

Callum Lerwick wrote:






* *Why do we need a firewall when you can easily prevent services from

* *being accessed...just stop the service! *Don't bind to the port, and

* *it won't be possible to connect to it.





Yes, the correct thing to do for local security is use something like selinux to prevent things from binding to interfaces/ports they shouldn't be binding to in the first place.




But what you usually want to control are the ranges of source/destination addresses that are permitted.




Using iptables for this is a completely unsustainable hack. iptables firewalling is for machines that route packets to other machines.




Unsustainable? *But it is what you need to do, not kill functionality completely.




Unfortunately for some reason network devices are exempt from the "everything is a file" architecture thus don't recieve the benefit of the pre-existing filesystem access control architecture.




Yes, this seems like a bizarre design decision in Linux but realistically, everything needs network access to be useful at all these days and what you need to control is where on the network something can/can't connect.




--

*Les Mikesell

* lesmikesell@gmail.com



--

fedora-devel-list mailing list

fedora-devel-list@redhat.com

https://www.redhat.com/mailman/listinfo/fedora-devel-list



--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 12:19 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org