ZeroConf in Ubuntu Edgy
Tobias Wolf
towolf at gmail.com
Tue Jul 4 00:58:21 BST 2006
Am Montag, den 03.07.2006, 18:38 -0500 schrieb Scott Dier:
> Tobias Wolf wrote:
> > In that case the Ubuntu target audience is clearly of limited scope.
> > Just at the Howto instructions on the forums. You’ll find a port opening
> > fest. Should they all go elsewhere instead? Or should they get hacking
> > iptables by hand if they really want to open ports?
>
> It's not just a matter of 'fire up a firewall, that fixes the problem'.
> Nomadic machines do not currently have a great way of saying what
> networks are 'trusted' and which ones are not. Adding another option to
> nm sounds like a great idea, but how do I explain it to a user? How do
> they know what they are enabling/disabling per network? What services
> should be triggered on/off with this switch and should a pile of network
> services be handled by an alternate method than init rather than using a
> firewall? How do you configure it so these services can still be
> operated without this special service on 'server' machines, too? How
> does it work when someone has 2 interfaces up, one to a local net
> (trusted) and one to a WAN (untrusted) (ie: gprs and ethernet to a
> customer site)? There isn't a great way to tell iptables that an
> interface is in a specific profile, so all this stuff would need to be
> changed on the fly with the iptables route.
>
> I think it needs a lot of serious discussion to develop it into a spec
> first.
Jane User and her firewall is also a support nightmare. Just look at how
hard it is for normal users to penetrate a home NAT router with simple
port forwardings.
So, ideally it should be possible to allow/disallow connections based on
applications and zones (yes, truly). And you’re right that it’s
impossible to achieve in the short term.
Out of the services I mentioned earlier only filesharing makes sense on
a WAN. I wouldn’t want to expose the others when I’m in a foreign LAN. I
actually have avahi-discovery on for the fun of it when I connect to my
universities wifi. It is scary to see 10 dozen service notifications fly
by when connecting to it.
-- Tobias
More information about the ubuntu-devel
mailing list