On Mon, Oct 27, 2008 at 03:53:30PM -0400, David Zeuthen wrote:
Hence, if people want to share files using, say, Rhythmbox (and they do), they are left with either
- Turning of the firewall
- Configuring iptables(8) or using system-config-firewall
Now, let me explain to you how RB/Banshee/gnome-user-share works. They allocate a random high port number. Now, before you complain that you think this in broken you have to understand why this is so.
The programs have to do this because you may have several sessions or instances running. So in general you can't really predict the port number (or even range) to use since the user may add new services that share stuff on the network.
So in general 2. won't really work (because you'd have to update it dynamically) so users of course resort to 1. Wow, what's that thing going out the window? That other useful stuff that we might have configured the iptables(8) stack with except for blocking ports.
But dynamical ports are not new to iptables, lots of protocols, be that rpc, h323 or even p-o-d passive ftp need them and conntrack/pom rectify the `static firewall' view.
I haven't followed up the latest netfilter developments, but I know there is even a userspace lib for registering such connections. Maybe RB/mDNS and friends just need a pom `plugin'.
Note that just as you turn off iptables and prefer selinux, I do that the other way around, as my selinux foo is less than desirable. I guess both of us are not really doing The Right Thing, but sometimes time matters.