firewall changes for F-9+

Tim Waugh twaugh at redhat.com
Thu Mar 6 23:06:57 UTC 2008 

On Wed, 2008-01-16 at 18:52 +0100, Thomas Woerner wrote:
> Hello,
> 
> here are the latest changes for system-config-firewall for F-9+:
> 
> The usage of --port=<port>:<proto> for lokkit will open up this port and 
> not a service using this port anymore. To enable a service you have to 
> use the new --service=<name> option. There are no magic default open 
> services. You have to open up the services, you want to use. The interim 
> options --no-X; X in ["ipsec", "mdns", "ipp"] are obsolete now.
> 
> To setup a new firewall, you can use the new --default=<name> 
> configuration option as a start:
>    server  : ssh is enabled
>    desktop : ipsec, mdns and ipp are enabled
> 
> These changes for lokkit also affect the kickstart firewall configuration.
> 
> There is an utility to convert existing configurations, which will be 
> used automatically while updating the package.

I don't think it's a good default to have IPP disabled.  The cupsd
process already binds to localhost by default, and only binds to '*'
when a printer is explicitly shared by the user.

As for RPC services binding to the IPP port instead -- well, this is a
bug that needs to be fixed regardless.  Whether it's done with SELinux
policy, or with a port reservation daemon, or with portmap/glibc hacks,
I don't mind.

It would be differnet if there were a mechanism that
system-config-printer could use to request that the IPP port be opened
(with user approval), perhaps based on PolicyKit.  The truth is that
there is no such mechanism, even though I have repeatedly asked for it.
(No, lokkit is not sufficient: it needs to be something that a non-root
user application can request, as system-config-printer will not run as
root in the future.)

Until that mechanism is provided, blocking the IPP port will make the
user experience of sharing printers quite a lot worse, and will probably
lead to people disabling the firewall altogether in the same way they
have previously disabled SELinux.

Just my humble opinion,
Tim.
*/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20080306/00108ae8/attachment.sig>

More information about the fedora-devel-list mailing list