On Dec 9, 2014 12:38 PM, "Chuck Anderson" <c...@wpi.edu> wrote: > > On Tue, Dec 09, 2014 at 12:09:23PM -0700, Pete Travis wrote: > > On Dec 9, 2014 12:06 PM, "Chuck Anderson" <c...@wpi.edu> wrote: > > > > > > On Tue, Dec 09, 2014 at 11:52:01AM -0700, Pete Travis wrote: > > > > On Dec 9, 2014 11:33 AM, "Chuck Anderson" <c...@wpi.edu> wrote: > > > > I should have said "ask firewalld for a port to be opened" - sorry, I > > > > thought that would come from the context. > > > > > > > > Are you saying bind() should be talking to firewalld, via some approval > > > > agent? how do we make that happen? > > > > > > My point was that a firewall is superfluous if a program can just ask > > > firewalld to poke a hole in the firewall for it automatically, because > > > a program can already ask the system to open a listening port for it > > > using bind(2) (and listen(2) and accept(2)) when no firewall is > > > present. > > > > > > It means that in a world where automatic-hole-punching exists, the > > > only use of a firewall on the host is maybe to limit the SCOPE of such > > > communication, not whether such communication is allowed at all or > > > not. This is where firewall zones come in. > > > > Okay, one more thing on the ideal requirements list: firewalld must not > > blindly approve all requests, there must be some approval mechanism. What > > would that look like? > > You either have a pre-approved policy of what is allowed and what is > not similar to how SELinux policy, PolicyKit rules, and the existing > firewall rule mechanisms work, you ask the user on each request, > similar to how some Windows firewalls work, or you ask the user when > they connect to a network which "zone" to associate that network with, > and use a pre-approved policy for each zone. Zones can be "Home", > "Public", "Work", etc. Windows does this as well. >
Hmm... a whitelist of things that are allowed to ask for firewall accommodation doesn't help me develop new applications at all. And you're jumping to a really high level UI thing and just sort of hand waving over the mechanism needed to make it all work. Assigning different networks to zones is a different problem compared to a program asking for a port. --Pete
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct