Services automaticly change firewall rules to open access to themselfs.

David Hollis dhollis at davehollis.com
Mon Aug 20 19:19:27 UTC 2007


On Mon, 2007-08-20 at 12:33 -0500, Arthur Pemberton wrote:
> > I run custom firewall rules.  If you can get this idea to play
> nicely with
> > my custom script, and with Shorewall setups, and with
> s-c-securitylevel,
> > go for it.  But I'm highly sceptical.  If installing squid blows up
> my
> > custom firewall settings, I'm getting out my pitchfork. :)
> >
> 
> Hence why I suggest doing this through s-c-secuirtylevel so that that
> functionality can centrally be disabled 

I think the ideal solution would be to use existing protocols (UPnP,
NAT-PMP) to talk to a daemon (avahi-daemon for example) that is
configured with basic policy settings (accept requests from this user,
IP, interface, etc) and could also talk on DBUS for GUI prompt type
stuff.  The daemon would have config options to specify what chains to
alter, so that it can be made to work with other firewall scripts easily
and obtrusively.   By using existing protocols, the exact same mechanism
can work with home routers and such, and likely even SOHO 'firewalls'.

Besides that, a lot of programs already have support for standardized
protocols.  Sure, for a totally local-only type of thing, it's a larger
number of hurdles to jump through, but then it can be the same hurdles
for local-only vs small-LAN, and potentially even larger LANs.

-- 
David Hollis <dhollis at davehollis.com>




More information about the fedora-devel-list mailing list