RFE: FireKit

Steve Grubb sgrubb at redhat.com
Fri Jul 24 20:50:30 UTC 2009


On Thursday 23 July 2009 02:16:10 pm Ahmed Kamal wrote:
> Here's a RFE for FireKit, a firewall desktop "kit". What this does is:
> 1- Exposes a dbus interface for applications to programatically open/close
> ports

I don't exactly like this. If one application gets compromised, it can now 
open other ports that may be protected. Previously, it would require 
CAP_NET_ADMIN or some other root possessed capability to make changes. There 
are a lot of important services above 1024 that a normal user could bind to. 
You don't want the system to suddenly open those ports and allow traffic.


> 2- Monitors as new daemons/applications that listen on non lo interfaces
> are started, checks if iptables is currently blocking them, and if so,
> warns the user that application X is currently blocked by the firewall

This part I like.

-Steve




More information about the fedora-devel-list mailing list