[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Browser mode for nautilus



On Mon, Oct 27, 2008 at 09:55:56PM +0100, Lennart Poettering wrote:
> > But dynamical ports are not new to iptables, lots of protocols, be
> > that rpc, h323 or even p-o-d passive ftp need them and conntrack/pom
> > rectify the `static firewall' view.
> 
> But all those protocols start the connection with a well known port
> and then hand things off to a dynamic port.  If you use truely random
> ports than iptables needs to sense what kind of protocol something is
> based on the packet contents. Which security-wise is a joke, and
> hence the whole idea makes no sense.

And there are services that use truely random ports? E.g. w/o any
handshaking or negotiation about these ports by well-defined
processes? Why do we have mDNS/DNS-SD/SSDP for?

Just like FTP negotiates the `truely random' ports, so do the zeroconf
techniques with ips/ports/services.

iptables/netfilter already has intelligent agents to parse the passing
packages for needed dynamical firewall configration. Just check it
out, and maybe you'll rethink about the netfilter project. :)

> > I haven't followed up the latest netfilter developments, but I know
> > there is even a userspace lib for registering such connections. Maybe
> > RB/mDNS and friends just need a pom `plugin'.
> 
> The Linux kernel already has an API for that. It's called listen().

Cool, so any local non-priviledged process could open up holes in the
firewall above ports 1024 as it pleases w/o the user even noticing.

Why not remove password protection from accounts while we are at it? ;)
-- 
Axel.Thimm at ATrpms.net

Attachment: pgpsWtutfSgOI.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]