On 10/06/2010 08:31 PM, Richard W.M. Jones wrote:
Seems quite complex. What's wrong with a directory:
/etc/iptables.d/
where RPMs like libvirt just drop the required additional rules (in a
separate chain if you like) and restart the iptables service? It's
low-tech but simple and it's
On 10/07/2010 02:20 AM, Genes MailLists wrote:
On 10/06/2010 11:26 AM, Thomas Woerner wrote:
6) Compatibility Mode
The current static firewall model will still be available for
compatibility for users or administrators creating their own firewall.
This deactivates the firewall service and
On Wed, 2010-10-06 at 17:26 +0200, Thomas Woerner wrote:
It is possible to specify a timeout for a firewall service and also the
other features. The service will be opened immediately and closed again
after the defined period is over. This allows to accept new connections
from unknown
On Wed, 2010-10-06 at 19:31 +0100, Richard W.M. Jones wrote:
Seems quite complex. What's wrong with a directory:
/etc/iptables.d/
where RPMs like libvirt just drop the required additional rules (in a
separate chain if you like) and restart the iptables service? It's
low-tech but
I am currently working on a proof of concept implementation of a
firewall daemon, that will support dynamic firewall management with a
D-BUS interface.
This implementation should be usable in some days and will feature the
transition of the current firewall model to the dynamic version. It
On 10/06/2010 08:31 PM, Richard W.M. Jones wrote:
Seems quite complex. What's wrong with a directory:
/etc/iptables.d/
where RPMs like libvirt just drop the required additional rules (in a
separate chain if you like) and restart the iptables service? It's
low-tech but simple and it's
On 10/06/2010 11:26 AM, Thomas Woerner wrote:
6) Compatibility Mode
The current static firewall model will still be available for
compatibility for users or administrators creating their own firewall.
This deactivates the firewall service and also the D-BUS daemon.
---
Comments
On Sat, Oct 02, 2010 at 02:17:49AM +0200, Dennis J. wrote:
[...]
I asked Dan Berrange to join this thread since he's most knowledgable
about the exact problem and requirements from the libvirt side.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df
There are several protocols used for discovery of network services that
currently cannot be made to work on Fedora simply due to the restrictive
firewall we use by default.
For example, a broadcast SNMP query to discover network printers is sent
as a UDP packet from an unprivileged local port to
On Fri, Oct 01, 2010 at 02:00:46PM +0100, Tim Waugh wrote:
There are several protocols used for discovery of network services that
currently cannot be made to work on Fedora simply due to the restrictive
firewall we use by default.
For example, a broadcast SNMP query to discover network
The following works for UDP too:
-A INCOMING -m state --state RELATED,ESTABLISHED -j ACCEPT
Leastways, I can do AFS through my firewall with it.
David
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
On Fri, 2010-10-01 at 15:23 +0200, Tomasz Torcz wrote:
ZeroConf discovery (port 5353) is denied by default also :(
But that can be enabled with a single checkbox (Multicast DNS (mDNS)),
and that can also be done programmatically using
system-config-firewall's D-Bus interface, such as it is.
On Fri, 2010-10-01 at 15:07 +0100, David Howells wrote:
The following works for UDP too:
-A INCOMING -m state --state RELATED,ESTABLISHED -j ACCEPT
Leastways, I can do AFS through my firewall with it.
Does that work for unicast replies to broadcast queries though?
e.g.
IP
On Fri, 2010-10-01 at 15:19 +0100, David Howells wrote:
Good question; I don't know. netfil...@vger.kernel.org is probably the place
to ask.
I did ask about this issue on netfilter, last year (look for SNMP
conntrack module a la netbios_ns, Dec 4th 2009).
That's where the idea for a general
On Fri, Oct 01, 2010 at 02:00:46PM +0100, Tim Waugh wrote:
In system-config-printer I try to get it to modify the firewall to allow
in the various network query responses that we expect, [...]
I should note, although it's not your fault, that this breaks
libvirt networking.
libvirt needs to
On 10/01/2010 10:36 PM, Richard W.M. Jones wrote:
On Fri, Oct 01, 2010 at 02:00:46PM +0100, Tim Waugh wrote:
In system-config-printer I try to get it to modify the firewall to allow
in the various network query responses that we expect, [...]
I should note, although it's not your fault, that
16 matches
Mail list logo
