ZeroConf in Ubuntu Edgy

Tobias Wolf towolf at
Tue Jul 4 00:58:21 BST 2006

Am Montag, den 03.07.2006, 18:38 -0500 schrieb Scott Dier:
> Tobias Wolf wrote:
> > In that case the Ubuntu target audience is clearly of limited scope.
> > Just at the Howto instructions on the forums. You’ll find a port opening
> > fest. Should they all go elsewhere instead? Or should they get hacking
> > iptables by hand if they really want to open ports?
> It's not just a matter of 'fire up a firewall, that fixes the problem'. 
>   Nomadic machines do not currently have a great way of saying what 
> networks are 'trusted' and which ones are not.  Adding another option to 
> nm sounds like a great idea, but how do I explain it to a user?  How do 
> they know what they are enabling/disabling per network?  What services 
> should be triggered on/off with this switch and should a pile of network 
> services be handled by an alternate method than init rather than using a 
> firewall?  How do you configure it so these services can still be 
> operated without this special service on 'server' machines, too?  How 
> does it work when someone has 2 interfaces up, one to a local net 
> (trusted) and one to a WAN (untrusted) (ie: gprs and ethernet to a 
> customer site)?  There isn't a great way to tell iptables that an 
> interface is in a specific profile, so all this stuff would need to be 
> changed on the fly with the iptables route.
> I think it needs a lot of serious discussion to develop it into a spec 
> first.

Jane User and her firewall is also a support nightmare. Just look at how
hard it is for normal users to penetrate a home NAT router with simple
port forwardings.

So, ideally it should be possible to allow/disallow connections based on
applications and zones (yes, truly). And you’re right that it’s
impossible to achieve in the short term.

Out of the services I mentioned earlier only filesharing makes sense on
a WAN. I wouldn’t want to expose the others when I’m in a foreign LAN. I
actually have avahi-discovery on for the fun of it when I connect to my
universities wifi. It is scary to see 10 dozen service notifications fly
by when connecting to it.

-- Tobias

More information about the ubuntu-devel mailing list