ZeroConf in Ubuntu Edgy

Patrick McFarland diablod3 at gmail.com
Tue Jul 4 01:59:56 BST 2006


On Monday 03 July 2006 20:35, Ivan Krstic wrote:
> Tobias Wolf wrote:
> > What about Samba, Cups in browse mode, Rhythmbox in sharing mode,
> > filesharing with Bittorrent et al., VOIP, SSH, an Apache for web pages
> > or webdav, NFS, et cetera ad inf. Linux is an essentially networked OS.
> > Do want to extend the policy to a port opening prohibition?
>
> There was clearly never talk nor discussion of a port opening
> prohibition. On the other hand, it's still a reasonable proposition that
> users who run Apache, SSH, and NFS should know enough about their system
> to set up any requisite security (neither of the three services are
> gaping security holes by default).

What about my earlier idea about packages adding rules to the Magic Firewall 
App to allow users to manage apps, not ports? ("I want to enable Apache! WTF 
is this port 80 shit? Yargh!")

> As for Samba, CUPS in browse mode, and Rhythmbox -- these have no easy
> nor obvious firewall policy that makes them more secure.

Technically no, but not using an app in listen only mode because it may be 
insecure is worse then using said app in listen only mode and suffering the 
possible security bugs.

> As a 
> first-order approximation, one could limit inbound access to them to the
> current network as given by the (ipaddr, netmask) tuple, but that's a
> hack. Perhaps a useful hack, but not without detailed prior discussion
> in spec form.

Well, a required thing is being able to set certain services to certain 
profiles and zones. This is required. Also, being able to set rules based on 
MAC is also required.

-- 
Patrick McFarland || www.AdTerrasPerAspera.com
"Computer games don't affect kids; I mean if Pac-Man affected us as kids,
we'd all be running around in darkened rooms, munching magic pills and
listening to repetitive electronic music." -- Kristian Wilson, Nintendo,
Inc, 1989




More information about the ubuntu-devel mailing list