RFE: FireKit
Steve Grubb
sgrubb at redhat.com
Fri Jul 24 20:50:30 UTC 2009
On Thursday 23 July 2009 02:16:10 pm Ahmed Kamal wrote:
> Here's a RFE for FireKit, a firewall desktop "kit". What this does is:
> 1- Exposes a dbus interface for applications to programatically open/close
> ports
I don't exactly like this. If one application gets compromised, it can now
open other ports that may be protected. Previously, it would require
CAP_NET_ADMIN or some other root possessed capability to make changes. There
are a lot of important services above 1024 that a normal user could bind to.
You don't want the system to suddenly open those ports and allow traffic.
> 2- Monitors as new daemons/applications that listen on non lo interfaces
> are started, checks if iptables is currently blocking them, and if so,
> warns the user that application X is currently blocked by the firewall
This part I like.
-Steve
More information about the fedora-devel-list
mailing list