[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Browser mode for nautilus



On Mon, 27.10.08 22:45, Axel Thimm (Axel Thimm ATrpms net) wrote:

> On Mon, Oct 27, 2008 at 03:53:30PM -0400, David Zeuthen wrote:
> > Hence, if people want to share files using, say, Rhythmbox (and they
> > do), they are left with either
> > 
> >  1. Turning of the firewall
> >  2. Configuring iptables(8) or using system-config-firewall
> > 
> > Now, let me explain to you how RB/Banshee/gnome-user-share works. They
> > allocate a random high port number. Now, before you complain that you
> > think this in broken you have to understand why this is so.
> > 
> > The programs have to do this because you may have several sessions or
> > instances running. So in general you can't really predict the port
> > number (or even range) to use since the user may add new services that
> > share stuff on the network.
> > 
> > So in general 2. won't really work (because you'd have to update it
> > dynamically) so users of course resort to 1. Wow, what's that thing
> > going out the window? That other useful stuff that we might have
> > configured the iptables(8) stack with except for blocking ports.
> 
> But dynamical ports are not new to iptables, lots of protocols, be
> that rpc, h323 or even p-o-d passive ftp need them and conntrack/pom
> rectify the `static firewall' view.

But all those protocols start the connection with a well known port
and then hand things off to a dynamic port.  If you use truely random
ports than iptables needs to sense what kind of protocol something is
based on the packet contents. Which security-wise is a joke, and
hence the whole idea makes no sense.

> I haven't followed up the latest netfilter developments, but I know
> there is even a userspace lib for registering such connections. Maybe
> RB/mDNS and friends just need a pom `plugin'.

The Linux kernel already has an API for that. It's called listen().

Lennart

-- 
Lennart Poettering                        Red Hat, Inc.
lennart [at] poettering [dot] net         ICQ# 11060553
http://0pointer.net/lennart/           GnuPG 0x1A015CC4


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]