ZeroConf in Ubuntu Edgy

[Ivan Krstic]

Patrick McFarland wrote:
> What about my earlier idea about packages adding rules to the Magic Firewall 
> App to allow users to manage apps, not ports? ("I want to enable Apache! WTF 
> is this port 80 shit? Yargh!")

Earlier in the thread, I wrote: "At UBZ, we actually had a BOF about
comprehensive (per-package) firewalling, which is where I'd really like
us to go eventually, in addition to a pretty UI."

This was discussed quite a while back. We want to get there, and
recognize it as a good, albeit not complete, eventual solution.

> Technically no, but not using an app in listen only mode because it may be 
> insecure is worse then using said app in listen only mode and suffering the 
> possible security bugs.

No one is stopping users from enabling listening services, should they
choose to do so. We do very little clobbering to make sure that the
packages we install by default don't open ports by default; the "no open
ports by default" policy has much more to do with not shipping things
that open ports by default, than it does with removing or limiting
server functionality from applications we do ship (such as with CUPS).

> Well, a required thing is being able to set certain services to certain 
> profiles and zones. This is required. Also, being able to set rules based on 
> MAC is also required.

I think I'll withdraw from the thread at this point. You seem very
passionate about this; if you channeled the passion into getting your
hands on an OS X machine, giving things like ZoneAlarm et al a spin on
Windows, and writing up the results, you would find your input much more
appreciated, and the results likely much more rewarding. I can
understand not being able or willing to code, but there's no good reason
you can't produce an excellent spec, other than not wanting to put in
the time and effort.

-- 
Ivan Krstic <krstic at fas.harvard.edu> | GPG: 0x147C722D