FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 12-06-2010, 07:08 PM
Matthew Miller
 
Default Firewall

On Mon, Dec 06, 2010 at 08:27:00PM +0100, Phil Knirsch wrote:
> Basically it's a statefull firewall daemon now that allows us to support
> and implement a lot of those features which have been so critically

Does this *really* need to be implemented as yet another constantly-running
daemon? Because by its nature, iptables already maintains its state, and it
seems unnecessary to have another program running in userspace to do the
same thing.




--
Matthew Miller <mattdm@mattdm.org>
Senior Systems Architect -- Instructional & Research Computing Services
Harvard School of Engineering & Applied Sciences
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-06-2010, 07:18 PM
Tom Lane
 
Default Firewall

Jesse Keating <jkeating@redhat.com> writes:
> The argument of default firewall or not would probably quiet down quite
> a bit if we had any sort of decent UI to help users get the firewall out
> of their way when they're really trying to do something.

+1. In today's environment, not having a firewall by default is an
incredibly stupid idea. What we need to do is fix the UI problems,
not bypass them by dramatically reducing security.

regards, tom lane
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-06-2010, 07:23 PM
nodata
 
Default Firewall

On 06/12/10 21:06, seth vidal wrote:
> On Mon, 2010-12-06 at 21:01 +0100, Tomasz Torcz wrote:
>> On Mon, Dec 06, 2010 at 02:56:19PM -0500, seth vidal wrote:
>>> On Mon, 2010-12-06 at 14:55 -0500, Bill Nottingham wrote:
>>>> seth vidal (skvidal@fedoraproject.org) said:
>>>>> Bittorrent won't work through many/most wireless routers unless they are
>>>>> not natted and/or not explicitly configured.
>>>>>
>>>>> what network games?
>>>>> Heck, what network games do we HAVE?
>>>>>
>>>>> what are the use cases of zeroconf-enabled apps that we're targetting?
>>>>
>>>> Zeroconf and IPP browse packets are both means of making priting less
>>>> of a giant pain to set up.
>>>
>>> ah, printing.
>>>
>>> Is there anything that's not last century?
>>
>>
>> Yeah, general discovery. From the top of my head:
>> - Pulseaudio sinks and sources
>> - libvirt instances for virt-manager
>> - VNC desktops for Vinagre
>> - local web pages (think SOHO router config page) for zeroconf
>> enabled Webbrowsers like Epiphany
>> - remote disk management (udisks)
>> - local FTP sites and WebDAV shares shown in nautilus places
>>
>> And this is all blocked by default Fedora firewall settings (5353/udp).
>>
>
> I'm confused - are any of the above intended to be used/available by
> anyone who is NOT experienced enough to know what iptables are and how
> to manage them? B/c I think it's a bit unlikely.
>
> -sv
>
>

+10
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-06-2010, 07:25 PM
Miloslav Trmač
 
Default Firewall

Tomasz Torcz p*še v Po 06. 12. 2010 v 21:01 +0100:
> Yeah, general discovery. From the top of my head:
> - Pulseaudio sinks and sources
> - libvirt instances for virt-manager
> - VNC desktops for Vinagre
> - local web pages (think SOHO router config page) for zeroconf
> enabled Webbrowsers like Epiphany
> - remote disk management (udisks)
> - local FTP sites and WebDAV shares shown in nautilus places
>
> And this is all blocked by default Fedora firewall settings (5353/udp).
These really sound like something that "should" be caught by the default
"enable related packets" rule - if the kernel sees an outgoing mDNS
request, it temporarily enables replies to the same port. If the kernel
doesn't do this already, teaching this to the kernel soulds like the
cleanest solution.
Mirek

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-06-2010, 08:24 PM
Rodd Clarkson
 
Default Firewall

On Tue, Dec 7, 2010 at 5:04 AM, Richard W.M. Jones <rjones@redhat.com> wrote:

On Mon, Dec 06, 2010 at 11:04:39AM -0500, Matt McCutchen wrote:

> On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote:

> > On most desktop systems firewall is not needed. Many users do not even

> > know how to configure it. In fact I disable it in most of my systems,

> > because there is no real use for it. So I asked a simple question

> > whether there is a need to install iptables by default?

> >

> > Your answer is not satisfactory for me - because not configured

> > firewall has nothing to do with security. In fact, it can only bring

> > false sense of security.

>

> I believe the default is to block incoming connections except for a few

> services. *This is good if you are running a sloppily written

> single-user server that binds to the wildcard address. *The Haskell

> Scion server fell in this category as of August 2009; I didn't look to

> see what a remote user might be able to do to me by connecting to it.

> Yes, the proper way to avoid problems is to bind to localhost, but the

> firewall can be nice.



It would be nice if the firewall automatically followed services that

I have enabled and disabled. *eg. If I explicitly enable the

webserver, it should open the corresponding port(s).

Actually, just be a service is running doesn't mean you want it exposed to the world.* I work as a web developer, so I have httpd running on my system, but this doesn't me that I want everyone to be able to access this.* My httpd session is just for personal development and doesn't need to be exposed just because it's running.



R.

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-06-2010, 08:50 PM
"Richard W.M. Jones"
 
Default Firewall

On Mon, Dec 06, 2010 at 03:08:46PM -0500, Matthew Miller wrote:
> On Mon, Dec 06, 2010 at 08:27:00PM +0100, Phil Knirsch wrote:
> > Basically it's a statefull firewall daemon now that allows us to support
> > and implement a lot of those features which have been so critically
>
> Does this *really* need to be implemented as yet another constantly-running
> daemon? Because by its nature, iptables already maintains its state, and it
> seems unnecessary to have another program running in userspace to do the
> same thing.

+1

Still not seeing how /etc/iptables.d wouldn't work ...

Rich.

--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
New in Fedora 11: Fedora Windows cross-compiler. Compile Windows
programs, test, and build Windows installers. Over 70 libraries supprt'd
http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-06-2010, 08:52 PM
"Richard W.M. Jones"
 
Default Firewall

On Mon, Dec 06, 2010 at 03:06:24PM -0500, seth vidal wrote:
> On Mon, 2010-12-06 at 21:01 +0100, Tomasz Torcz wrote:
> > On Mon, Dec 06, 2010 at 02:56:19PM -0500, seth vidal wrote:
> > > On Mon, 2010-12-06 at 14:55 -0500, Bill Nottingham wrote:
> > > > seth vidal (skvidal@fedoraproject.org) said:
> > > > > Bittorrent won't work through many/most wireless routers unless they are
> > > > > not natted and/or not explicitly configured.
> > > > >
> > > > > what network games?
> > > > > Heck, what network games do we HAVE?
> > > > >
> > > > > what are the use cases of zeroconf-enabled apps that we're targetting?
> > > >
> > > > Zeroconf and IPP browse packets are both means of making priting less
> > > > of a giant pain to set up.
> > >
> > > ah, printing.
> > >
> > > Is there anything that's not last century?
> >
> >
> > Yeah, general discovery. From the top of my head:
> > - Pulseaudio sinks and sources
> > - libvirt instances for virt-manager
> > - VNC desktops for Vinagre
> > - local web pages (think SOHO router config page) for zeroconf
> > enabled Webbrowsers like Epiphany
> > - remote disk management (udisks)
> > - local FTP sites and WebDAV shares shown in nautilus places
> >
> > And this is all blocked by default Fedora firewall settings (5353/udp).
> >
>
> I'm confused - are any of the above intended to be used/available by
> anyone who is NOT experienced enough to know what iptables are and how
> to manage them? B/c I think it's a bit unlikely.

Our tooling around avahi sucks (even the command line tools), but the
idea itself is quite wonderful.

Rich.

--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-06-2010, 09:18 PM
Matej Cepl
 
Default Firewall

Dne 6.12.2010 20:53, seth vidal napsal(a):
> what are the use cases of zeroconf-enabled apps that we're targetting?

* XMPP-over-Zeroconf (Bonjour)
* gtkvnc searches for VNC servers
* ekiga looks for other clients on LAN
* you can go to local ssh servers in .local domain
* etc. etc. ... partial list is on
http://avahi.org/wiki/Avah4users#SoftwareMakinguseofAvahi

Matěj

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-06-2010, 09:34 PM
Matej Cepl
 
Default Firewall

Dne 6.12.2010 21:06, seth vidal napsal(a):
> I'm confused - are any of the above intended to be used/available by
> anyone who is NOT experienced enough to know what iptables are and how
> to manage them? B/c I think it's a bit unlikely.

OK, so let's add (just what gets packaged in Fedora):

* Empathy/Pidgin/gajim ... XMPP over Zeroconf for LAN
* Gobby ... for connecting with collaborators over LAN (not sure
whether AbiWord and gedit-collaboration with similar functionality are
using Zeroconf or just plain XMPP over central server)
* Pulseaudio sinks and servers ... most artists are poor in network
administration
* DAAP servers (there is rhythmbox and mt-daapd already packaged, and I
plan to package forked-daapd) for sharing music over local network
* seahorse (sharing web-of-trust over local network)
* totem ... streaming for local network

Should I continue? Really, Seth, Bonjour was created by Apple as means
to make networking easy for normal people
(http://www.youtube.com/watch?v=kgMVjEJiHDM), so it should really work
for normal people without fiddling with firewall.

I have to admit, I am not completely happy with having no firewall per
default, but we should really do something about Zeroconf to really make
it work for normal people as much as bread toaster works for them.

Best,

Matěj

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-06-2010, 09:47 PM
Michał Piotrowski
 
Default Firewall

2010/12/6 Matej Cepl <mcepl@redhat.com>:
> Dne 6.12.2010 21:06, seth vidal napsal(a):
[..]
> I have to admit, I am not completely happy with having no firewall per
> default,

It looks like you do not have to worry about removing iptables from @core

I think that further discussion on removal it from core is pointless,
so we have to start thinking how to convert ip*tables to systemd
services. I afraid it will end on something like that
ExecStart=/etc/init.d/iptables start
ExecStop=/etc/init.d/iptables stop

> but we should really do something about Zeroconf to really make
> it work for normal people as much as bread toaster works for them.
>
> Best,
>
> Matěj
>
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel



--
Best regards,
Michal

Sent from my iToaster
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 09:14 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org