[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Browser mode for nautilus



On Mon, Oct 27, 2008 at 03:53:30PM -0400, David Zeuthen wrote:
> Hence, if people want to share files using, say, Rhythmbox (and they
> do), they are left with either
> 
>  1. Turning of the firewall
>  2. Configuring iptables(8) or using system-config-firewall
> 
> Now, let me explain to you how RB/Banshee/gnome-user-share works. They
> allocate a random high port number. Now, before you complain that you
> think this in broken you have to understand why this is so.
> 
> The programs have to do this because you may have several sessions or
> instances running. So in general you can't really predict the port
> number (or even range) to use since the user may add new services that
> share stuff on the network.
> 
> So in general 2. won't really work (because you'd have to update it
> dynamically) so users of course resort to 1. Wow, what's that thing
> going out the window? That other useful stuff that we might have
> configured the iptables(8) stack with except for blocking ports.

But dynamical ports are not new to iptables, lots of protocols, be
that rpc, h323 or even p-o-d passive ftp need them and conntrack/pom
rectify the `static firewall' view.

I haven't followed up the latest netfilter developments, but I know
there is even a userspace lib for registering such connections. Maybe
RB/mDNS and friends just need a pom `plugin'.

Note that just as you turn off iptables and prefer selinux, I do that
the other way around, as my selinux foo is less than desirable. I guess
both of us are not really doing The Right Thing, but sometimes time
matters.
-- 
Axel.Thimm at ATrpms.net

Attachment: pgp0V9oPRWFxX.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]