On Tue, 2008-09-16 at 18:49 +0200, Adam Williamson wrote: > Hi, folks. > > Lately I've been exercising my tiny brain about firewalls. :) Namely, > what do we do about the bloody things when people have one? > > Most of you probably know or have observed by now that you can't do > anything useful with synce if you've got a fairly normal firewall setup. > This is of course because the device is a network interface and your > firewall helpfully blocks the bad, evil communications with it. So to do > anything useful with synce you need the following ports to be opened for > the WM device interface: > > 990/tcp 999/tcp 5678/tcp 5721/tcp 26675/tcp > > that's for WM5+. For WM2003 and earlier I think 5679 is also needed (not > sure if that's UDP or TCP, sources seem to conflict). > > Now I'm scratching my head about how to go about this. > > Option 1 - do nothing about it in software and just write details on how > to open those ports into the How To Synchronize Your Phone guides we > have lying around everywhere. This sucks for hopefully obvious > reasons. :) > > Option 2 - I can add this to our (Mandriva's) firewall configuration GUI > (it's very simple) so you can just run drakfirewall, click on a box, > click OK three times, and your sync works. But: > > * This still requires interaction. > * It's kinda inelegant and non-obvious - you'll probably have to read > some kind of documentation to figure it out. > * It opens the ports for *all* interfaces, not just the synce interface. > > Option 3 - we could stick an iptables command in the HAL scripts. >
I nearly did number 3, but like you I couldn't decide if I should really be fiddling around with firewalls behind the scenes. > This is very possibly utter crack, and please do let me know if it is. > But it seems to be we can run a very generic iptables command in the HAL > scripts when a device is plugged in, to open those ports for the synce > interface. It would not require any user interaction - it would 'just > work' when they plugged in the device. It only opens the ports for the > synce interface, not for the other network interfaces on the system. And > it should be compatible with most 'firewalls', as just about every Linux > firewall is really just a front end for iptables when you get down to > it. > > Drawbacks: as I said, it may be just crack. I don't know if you're > *supposed* to go around firing off non-interactive iptables commands in > HAL. Someone may be coming to kill for me for suggesting it even as I > speak. It definitely looks, walks, smells and sounds like a hack at the > very least. > > jc2k points out that as far as we know, most 'firewalls' (that is, > iptables front ends) tend to just wipe out the entire iptables > configuration and create it from scratch whenever they're fired up or > their configuration is changed. So if the user does anything to trigger > a firewall configuration update after plugging in their device, it will > probably wipe out the rule. > > I pointed out that at least this would respond to the classic end-user > solution: unplug it and plug it in again. That'd fix it, because the > rule would be re-created. > Good point, I'd thought we'd probably just be overridden like that, but yes of course we can just do that. > There may be some kind of security problem with this. > > There's probably lots of other drawbacks, do feel free to point them > out. :) But I wanted to at least float the idea for feedback. What does > anyone think we should do about this - besides writing FirewallKit? :) I'm glad you have, and I'm very tempted by the hal iptables script. More than once I've had someone say no I haven't got a firewall up, but from the symptoms you just _know_ they have :) I'm not too good with iptables, mostly 'cos I think it's better to configure the app properly than have a firewall, so if you want to knock some rules up that work that'd be cool. One of my hal plans is to add a 'plugin' system, maybe I should do that soon :) Mark
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ SynCE-Devel mailing list SynCE-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/synce-devel
