[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: RFE: FireKit

On Thursday 23 July 2009 02:16:10 pm Ahmed Kamal wrote:
> Here's a RFE for FireKit, a firewall desktop "kit". What this does is:
> 1- Exposes a dbus interface for applications to programatically open/close
> ports

I don't exactly like this. If one application gets compromised, it can now 
open other ports that may be protected. Previously, it would require 
CAP_NET_ADMIN or some other root possessed capability to make changes. There 
are a lot of important services above 1024 that a normal user could bind to. 
You don't want the system to suddenly open those ports and allow traffic.

> 2- Monitors as new daemons/applications that listen on non lo interfaces
> are started, checks if iptables is currently blocking them, and if so,
> warns the user that application X is currently blocked by the firewall

This part I like.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]