On Dec 9, 2014 12:06 PM, "Chuck Anderson" <c...@wpi.edu> wrote: > > On Tue, Dec 09, 2014 at 11:52:01AM -0700, Pete Travis wrote: > > On Dec 9, 2014 11:33 AM, "Chuck Anderson" <c...@wpi.edu> wrote: > > I should have said "ask firewalld for a port to be opened" - sorry, I > > thought that would come from the context. > > > > Are you saying bind() should be talking to firewalld, via some approval > > agent? how do we make that happen? > > My point was that a firewall is superfluous if a program can just ask > firewalld to poke a hole in the firewall for it automatically, because > a program can already ask the system to open a listening port for it > using bind(2) (and listen(2) and accept(2)) when no firewall is > present. > > It means that in a world where automatic-hole-punching exists, the > only use of a firewall on the host is maybe to limit the SCOPE of such > communication, not whether such communication is allowed at all or > not. This is where firewall zones come in.
Okay, one more thing on the ideal requirements list: firewalld must not blindly approve all requests, there must be some approval mechanism. What would that look like? --Pete
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct