ZeroConf in Ubuntu Edgy

[Patrick McFarland]

On Monday 03 July 2006 19:58, Tobias Wolf wrote:
> Am Montag, den 03.07.2006, 18:38 -0500 schrieb Scott Dier:
> > Tobias Wolf wrote:
> > > In that case the Ubuntu target audience is clearly of limited scope.
> > > Just at the Howto instructions on the forums. You’ll find a port
> > > opening fest. Should they all go elsewhere instead? Or should they get
> > > hacking iptables by hand if they really want to open ports?
> >
> > It's not just a matter of 'fire up a firewall, that fixes the problem'.
> >   Nomadic machines do not currently have a great way of saying what
> > networks are 'trusted' and which ones are not.  Adding another option to
> > nm sounds like a great idea, but how do I explain it to a user?  How do
> > they know what they are enabling/disabling per network?  What services
> > should be triggered on/off with this switch and should a pile of network
> > services be handled by an alternate method than init rather than using a
> > firewall?  How do you configure it so these services can still be
> > operated without this special service on 'server' machines, too?  How
> > does it work when someone has 2 interfaces up, one to a local net
> > (trusted) and one to a WAN (untrusted) (ie: gprs and ethernet to a
> > customer site)?  There isn't a great way to tell iptables that an
> > interface is in a specific profile, so all this stuff would need to be
> > changed on the fly with the iptables route.
> >
> > I think it needs a lot of serious discussion to develop it into a spec
> > first.
>
> Jane User and her firewall is also a support nightmare. Just look at how
> hard it is for normal users to penetrate a home NAT router with simple
> port forwardings.

No, Jane User refuses to understand that her fellow Jane and John Users are 
evil blackhats and want to use her computer and/or data for nefarious 
purposes. That problem, sadly, solves itself often and repeatedly.

> So, ideally it should be possible to allow/disallow connections based on
> applications and zones (yes, truly). And you’re right that it’s
> impossible to achieve in the short term.

Yes! Exactly what I'm talking about. And yes, I agree, this feature may not 
even be ready for Edgy. :(

> Out of the services I mentioned earlier only filesharing makes sense on
> a WAN. I wouldn’t want to expose the others when I’m in a foreign LAN. I
> actually have avahi-discovery on for the fun of it when I connect to my
> universities wifi. It is scary to see 10 dozen service notifications fly
> by when connecting to it.

Depends if its intentional or not. Lets say I had a magic bittorrent client 
that found fellow clients via mDNS, and if they were on the same torrent, 
they would share traffic (much like how some bittorrent clients already do 
this). This would be a very useful intentional case.

mDNS using apps obviously have to have sane defaults, otherwise this is a 
pointless effort.

> -- Tobias

-- 
Patrick McFarland || www.AdTerrasPerAspera.com
"Computer games don't affect kids; I mean if Pac-Man affected us as kids,
we'd all be running around in darkened rooms, munching magic pills and
listening to repetitive electronic music." -- Kristian Wilson, Nintendo,
Inc, 1989