Hi, folks. Lately I've been exercising my tiny brain about firewalls. :) Namely, what do we do about the bloody things when people have one?
Most of you probably know or have observed by now that you can't do anything useful with synce if you've got a fairly normal firewall setup. This is of course because the device is a network interface and your firewall helpfully blocks the bad, evil communications with it. So to do anything useful with synce you need the following ports to be opened for the WM device interface: 990/tcp 999/tcp 5678/tcp 5721/tcp 26675/tcp that's for WM5+. For WM2003 and earlier I think 5679 is also needed (not sure if that's UDP or TCP, sources seem to conflict). Now I'm scratching my head about how to go about this. Option 1 - do nothing about it in software and just write details on how to open those ports into the How To Synchronize Your Phone guides we have lying around everywhere. This sucks for hopefully obvious reasons. :) Option 2 - I can add this to our (Mandriva's) firewall configuration GUI (it's very simple) so you can just run drakfirewall, click on a box, click OK three times, and your sync works. But: * This still requires interaction. * It's kinda inelegant and non-obvious - you'll probably have to read some kind of documentation to figure it out. * It opens the ports for *all* interfaces, not just the synce interface. Option 3 - we could stick an iptables command in the HAL scripts. This is very possibly utter crack, and please do let me know if it is. But it seems to be we can run a very generic iptables command in the HAL scripts when a device is plugged in, to open those ports for the synce interface. It would not require any user interaction - it would 'just work' when they plugged in the device. It only opens the ports for the synce interface, not for the other network interfaces on the system. And it should be compatible with most 'firewalls', as just about every Linux firewall is really just a front end for iptables when you get down to it. Drawbacks: as I said, it may be just crack. I don't know if you're *supposed* to go around firing off non-interactive iptables commands in HAL. Someone may be coming to kill for me for suggesting it even as I speak. It definitely looks, walks, smells and sounds like a hack at the very least. jc2k points out that as far as we know, most 'firewalls' (that is, iptables front ends) tend to just wipe out the entire iptables configuration and create it from scratch whenever they're fired up or their configuration is changed. So if the user does anything to trigger a firewall configuration update after plugging in their device, it will probably wipe out the rule. I pointed out that at least this would respond to the classic end-user solution: unplug it and plug it in again. That'd fix it, because the rule would be re-created. There may be some kind of security problem with this. There's probably lots of other drawbacks, do feel free to point them out. :) But I wanted to at least float the idea for feedback. What does anyone think we should do about this - besides writing FirewallKit? :) -- adamw ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ SynCE-Devel mailing list SynCE-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/synce-devel
