On 2013-09-11 14:46, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/11/2013 06:35 AM, Heiko Adams wrote:
Am 11.09.2013 12:30, schrieb Alec Leamas:
That said, I see your point. Seems to boil down to that only the
application knows which port(s) to open and why, whereas only the
firewall can guarantee that it actually opens the ports requested by
user instead of something else.
So the application needs to ask the firewall to open one or more ports and
the firewall has to ask the user for permission to do so. In this szenario
the firewall knows what application wants which port(s) to be open. Letting
the application directly ask for permission to punch holes in the firewall
is IMHO the worst case of all and a securiry nightmare.
Asking my wife if she intends to open port 2345 is a waste of time. She has
no idea whether or not this is required. And will quickly learn to answer ok.
Asking her "Do you want to make security changes to share directory
/home/phyllis/Share?" Or
Do you want to make security changes to share Printer XYZ?
Would make sense.
If we had applications register prompts/ports in the installed package that
firewalld could look up and send the prompt to the user would be the best
solution to this problem.
This of course does not stop firefox plugin from attempting to share a
directory, but my wife would have more of a chance to say no.
Although this would work for both our wifes I'd hate it myself. There
need to be some way in the interface to understand what's *really*
going on here, the ports opened, triggers etc. But not unless requested,
agreed.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
