On Wed, 2008-01-16 at 18:52 +0100, Thomas Woerner wrote:
Hello,
here are the latest changes for system-config-firewall for F-9+:
The usage of --port=<port>:<proto> for lokkit will open up this port and
not a service using this port anymore. To enable a service you have to
use the new --service=<name> option. There are no magic default open
services. You have to open up the services, you want to use. The interim
options --no-X; X in ["ipsec", "mdns", "ipp"] are obsolete
now.
To setup a new firewall, you can use the new --default=<name>
configuration option as a start:
server : ssh is enabled
desktop : ipsec, mdns and ipp are enabled
These changes for lokkit also affect the kickstart firewall configuration.
There is an utility to convert existing configurations, which will be
used automatically while updating the package.
I don't think it's a good default to have IPP disabled. The cupsd
process already binds to localhost by default, and only binds to '*'
when a printer is explicitly shared by the user.
As for RPC services binding to the IPP port instead -- well, this is a
bug that needs to be fixed regardless. Whether it's done with SELinux
policy, or with a port reservation daemon, or with portmap/glibc hacks,
I don't mind.
It would be differnet if there were a mechanism that
system-config-printer could use to request that the IPP port be opened
(with user approval), perhaps based on PolicyKit. The truth is that
there is no such mechanism, even though I have repeatedly asked for it.
(No, lokkit is not sufficient: it needs to be something that a non-root
user application can request, as system-config-printer will not run as
root in the future.)
Until that mechanism is provided, blocking the IPP port will make the
user experience of sharing printers quite a lot worse, and will probably
lead to people disabling the firewall altogether in the same way they
have previously disabled SELinux.
Just my humble opinion,
Tim.
*/