ZeroConf in Ubuntu Edgy

Patrick McFarland diablod3 at gmail.com
Tue Jul 4 01:26:12 BST 2006 

On Monday 03 July 2006 19:38, Scott Dier wrote:
> Tobias Wolf wrote:
> > In that case the Ubuntu target audience is clearly of limited scope.
> > Just at the Howto instructions on the forums. You’ll find a port opening
> > fest. Should they all go elsewhere instead? Or should they get hacking
> > iptables by hand if they really want to open ports?
>
> It's not just a matter of 'fire up a firewall, that fixes the problem'.
>   Nomadic machines do not currently have a great way of saying what
> networks are 'trusted' and which ones are not.

Which is severely problematic. I'd like to see the NetworkManager icon or 
something like that allow me to switch profiles on the fly, or something like 
that. (It needs to be easily accessed, but we don't need yet another icon in 
the systray box)

> Adding another option to 
> nm sounds like a great idea, but how do I explain it to a user?  

Oh, hey, you agree. ;) Theres no way to explain it to a user. Either they 
watch/read/experience some sort of manual, or they can figure it out on their 
own. ("Hey! This looks like on the fly firewall profiles! Neat!") 

> How do 
> they know what they are enabling/disabling per network?

A well written GUI should be obvious.

> What services 
> should be triggered on/off with this switch and should a pile of network
> services be handled by an alternate method than init rather than using a
> firewall? 

Whatever the profile says they should be.

> How do you configure it so these services can still be 
> operated without this special service on 'server' machines, too? 

Server machines will have one profile, which contains rules for Internet 
hosts, and optionally LAN hosts if this applies here.

> How 
> does it work when someone has 2 interfaces up, one to a local net
> (trusted) and one to a WAN (untrusted) (ie: gprs and ethernet to a
> customer site)?  There isn't a great way to tell iptables that an
> interface is in a specific profile, so all this stuff would need to be
> changed on the fly with the iptables route.

Actually, there is. Profiles will/can be interface specific. If we tie this 
into NM, this should be obvious to the user in some way.

> I think it needs a lot of serious discussion to develop it into a spec
> first.

I agree.

-- 
Patrick McFarland || www.AdTerrasPerAspera.com
"Computer games don't affect kids; I mean if Pac-Man affected us as kids,
we'd all be running around in darkened rooms, munching magic pills and
listening to repetitive electronic music." -- Kristian Wilson, Nintendo,
Inc, 1989

More information about the ubuntu-devel mailing list