Reading the discussion about Taroon, portmapper, ports, etc., reminded me of one of the shortcomings of Red Hat Linux (and all other distributions AFAIK).
It seems to me that the fundamental problem is the lack of "linkage" (for lack of a better word) between service configuration and firewall configuration. In an ideal world, the network access required by a service would be easy to determine -- perhaps with chkconfig-like meta- data in the init script. The firewall configuration program could then be enhanced to prompt accordingly.
Even better, to my mind, would be to actually combine the services and firewall configuration programs. Instead of a single checkbox for each service, each service would have a checkbox for each interface. The network configuration program should probably prompt the user to run the firewall configuration when an interface is added.
Just some thoughts on future directions. Flame away!
Ian Pilcher (i.pilcher@comcast.net) said:
Reading the discussion about Taroon, portmapper, ports, etc., reminded me of one of the shortcomings of Red Hat Linux (and all other distributions AFAIK).
It seems to me that the fundamental problem is the lack of "linkage" (for lack of a better word) between service configuration and firewall configuration. In an ideal world, the network access required by a service would be easy to determine -- perhaps with chkconfig-like meta- data in the init script. The firewall configuration program could then be enhanced to prompt accordingly.
Even better, to my mind, would be to actually combine the services and firewall configuration programs. Instead of a single checkbox for each service, each service would have a checkbox for each interface. The network configuration program should probably prompt the user to run the firewall configuration when an interface is added.
Just some thoughts on future directions. Flame away!
As it currently stands, things like portmap don't need to tweak the firewall config; they will work just fine with the firewall (allow connections initated from the host.)
Where you run into issues are if you *specifically* want to expose a service, such as ssh, FTP, or HTTP.
Bill
On Mon, 25 Aug 2003, Ian Pilcher wrote:
It seems to me that the fundamental problem is the lack of "linkage" (for lack of a better word) between service configuration and firewall configuration.
well, there's so much policy involved. Eg you could perhaps add special comment lines to init scripts (ala the chkconfig lines) to indicate ports which are used by an app - but how do you tell whether the user wants them accessible to the network? and if so, the whole internet? his local network? ???
Just some thoughts on future directions. Flame away!
got any ideas? :)
one thing i would like is a portmap with hooks on rpc client registration/deregister (ie to setup firewalls).
regards,