Services automaticly change firewall rules to open access to themselfs.

Arthur Pemberton pemboa at gmail.com
Mon Aug 20 23:08:28 UTC 2007


On 8/20/07, David Hollis <dhollis at davehollis.com> wrote:
> On Mon, 2007-08-20 at 12:33 -0500, Arthur Pemberton wrote:
> > > I run custom firewall rules.  If you can get this idea to play
> > nicely with
> > > my custom script, and with Shorewall setups, and with
> > s-c-securitylevel,
> > > go for it.  But I'm highly sceptical.  If installing squid blows up
> > my
> > > custom firewall settings, I'm getting out my pitchfork. :)
> > >
> >
> > Hence why I suggest doing this through s-c-secuirtylevel so that that
> > functionality can centrally be disabled
>
> I think the ideal solution would be to use existing protocols (UPnP,
> NAT-PMP) to talk to a daemon (avahi-daemon for example) that is
> configured with basic policy settings (accept requests from this user,
> IP, interface, etc) and could also talk on DBUS for GUI prompt type
> stuff.  The daemon would have config options to specify what chains to
> alter, so that it can be made to work with other firewall scripts easily
> and obtrusively.   By using existing protocols, the exact same mechanism
> can work with home routers and such, and likely even SOHO 'firewalls'.
>
> Besides that, a lot of programs already have support for standardized
> protocols.  Sure, for a totally local-only type of thing, it's a larger
> number of hurdles to jump through, but then it can be the same hurdles
> for local-only vs small-LAN, and potentially even larger LANs.

Even better. All I ask is that more control over the security of the
system is given to s-c-secuirtylevel. I like the console, esp. on a
server. But when assisting people it is often convenient to point them
to the appropriate GUI.

-- 
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )




More information about the fedora-devel-list mailing list