[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Browser mode for nautilus



On Mon, 27.10.08 23:08, Axel Thimm (Axel Thimm ATrpms net) wrote:

> On Mon, Oct 27, 2008 at 09:55:56PM +0100, Lennart Poettering wrote:
> > > But dynamical ports are not new to iptables, lots of protocols, be
> > > that rpc, h323 or even p-o-d passive ftp need them and conntrack/pom
> > > rectify the `static firewall' view.
> > 
> > But all those protocols start the connection with a well known port
> > and then hand things off to a dynamic port.  If you use truely random
> > ports than iptables needs to sense what kind of protocol something is
> > based on the packet contents. Which security-wise is a joke, and
> > hence the whole idea makes no sense.
> 
> And there are services that use truely random ports? E.g. w/o any
> handshaking or negotiation about these ports by well-defined
> processes? Why do we have mDNS/DNS-SD/SSDP for?

So you are suggesting that a firewall should automatically whitelist
all ports that are announced via mDNS on the network? Wow. That it is
certainly one hell of a good idea. Oh my. 

Are you sure you really understand what "security" means?

"Security" certainly doesn't mean whitelisting everything that someone
likes to announce on the network via mDNS/DNS-SD.

> > > I haven't followed up the latest netfilter developments, but I know
> > > there is even a userspace lib for registering such connections. Maybe
> > > RB/mDNS and friends just need a pom `plugin'.
> > 
> > The Linux kernel already has an API for that. It's called listen().
> 
> Cool, so any local non-priviledged process could open up holes in the
> firewall above ports 1024 as it pleases w/o the user even noticing.

Yes. Absolutely. If he wants to use an app he will circumvent the fw
anyway. And hence the fw is pointless and it would be far smoother to
allow this kind of operation without nagging.

> Why not remove password protection from accounts while we are at it?
> ;)

Hmm, so you did have a clown for breakfast, didn't you?

Lennart

-- 
Lennart Poettering                        Red Hat, Inc.
lennart [at] poettering [dot] net         ICQ# 11060553
http://0pointer.net/lennart/           GnuPG 0x1A015CC4


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]