On Mon, 27.10.08 22:45, Axel Thimm (Axel.Thimm@ATrpms.net) wrote:
On Mon, Oct 27, 2008 at 03:53:30PM -0400, David Zeuthen wrote:
Hence, if people want to share files using, say, Rhythmbox (and they do), they are left with either
- Turning of the firewall
- Configuring iptables(8) or using system-config-firewall
Now, let me explain to you how RB/Banshee/gnome-user-share works. They allocate a random high port number. Now, before you complain that you think this in broken you have to understand why this is so.
The programs have to do this because you may have several sessions or instances running. So in general you can't really predict the port number (or even range) to use since the user may add new services that share stuff on the network.
So in general 2. won't really work (because you'd have to update it dynamically) so users of course resort to 1. Wow, what's that thing going out the window? That other useful stuff that we might have configured the iptables(8) stack with except for blocking ports.
But dynamical ports are not new to iptables, lots of protocols, be that rpc, h323 or even p-o-d passive ftp need them and conntrack/pom rectify the `static firewall' view.
But all those protocols start the connection with a well known port and then hand things off to a dynamic port. If you use truely random ports than iptables needs to sense what kind of protocol something is based on the packet contents. Which security-wise is a joke, and hence the whole idea makes no sense.
I haven't followed up the latest netfilter developments, but I know there is even a userspace lib for registering such connections. Maybe RB/mDNS and friends just need a pom `plugin'.
The Linux kernel already has an API for that. It's called listen().
Lennart