-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Sat, Sep 28, 2013 at 01:34:48PM +0200, Björn Persson wrote:
> Eric H. Christensen wrote:
> >> link-layer encryption like WPA2 won't protect anything anymore
> >
> >What do you think WPA2 protects against? It has never protected
> >against anythin
Eric H. Christensen wrote:
>What are you trying to protect yourself from, exactly?
Me? Other than address translation (a necessary evil) I use packet
filters mostly to restrain crazy programs that open listening sockets
for unknown reasons even though I don't use them for any kind of
communication
Will Woods wrote:
> So if you actually wanted to write another yum replacement in C you
> could probably start with zif, port it to use libsolv and libcomps, fix
> up the CLI, and have yourself a functional prototype.
There's actually some stuff in PackageKit:
https://gitorious.org/packagekit/pack
On Wed, 2013-09-25 at 21:04 +0200, Kevin Kofler wrote:
> All the actual logic of DNF is written in C, so I really don't see why
> we should be stuck with that Python wrapper.
...it's not just a "wrapper". DNF have replaced yum's depsolver but ~90%
of the code in yum *isn't* depsolving.
To repla
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Wed, Sep 25, 2013 at 08:42:38PM +0200, Björn Persson wrote:
> Eric H. Christensen wrote:
> >Authentication is based on WEP/WPA/WPA2 passphrase, possibly a MAC
> >address (BSSID), and 802.1 authentication.
>
> There were no protests and no warning
Luke Macken wrote:
> dnf is written in Python, so I don't think that'll be possible. The
> roadmap for 2.0 is apparently going to involve porting to Python3, which
> will most likely help with the memory usage, but not with the
> installation size.
We should be defaulting to some other Hawkey (or
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Eric H. Christensen wrote:
>Authentication is based on WEP/WPA/WPA2 passphrase, possibly a MAC
>address (BSSID), and 802.1 authentication.
I guess you refer to using 802.1X with an EAP method that provides
mutual authentication, authenticating both
Hello Adam,
- Original Message -
> From: Adam Williamson
> Subject: Re: About F19 Firewall
>
> That's ironic: just yesterday - without having yet read this discussion
> - I used the firewalld on my laptop to lock down the 'public' zone to
> allo
On Fri, 2013-09-20 at 20:33 -0400, Matthew Miller wrote:
> On Sat, Sep 21, 2013 at 12:40:15AM +0200, Björn Persson wrote:
> > >> Anyone can broadcast an SSID. How does FirewallD authenticate the
> > >> network connection?
> > >FirewallD is not responsible for such authentication/AP validation.
> >
On Sat, 2013-09-21 at 03:05 +0800, P J P wrote:
>Yes, I understand the functionality, but I doubt if it'll be used
> at all. It's not desktop background that people would want to change
> everyday.
That's ironic: just yesterday - without having yet read this discussion
- I used the firewalld
- Original Message -
> From: poma
> Subject: Re: About F19 Firewall
>> Ex. Say I start virt-manager, it prompts me for authentication, I enter
> password and click [Ok]. It starts libvirtd in the background, creates
> interfaces, adds firewall rules etc. etc.
&g
On Fri, Sep 20, 2013 at 10:15:33AM -0400, Matthew Miller wrote:
> And, the python stack is a meaningfully-large portion of the minimal
> install. Right now, that's unavoidable because of yum, but in the not-so-far
> future dnf may make it possible to remove that. If we're putting in _more_
> python
On 24.09.2013 17:29, P J P wrote:
…
> Ex. Say I start virt-manager, it prompts me for authentication, I enter
> password and click [Ok]. It starts libvirtd in the background, creates
> interfaces, adds firewall rules etc. etc. As a user looking at the GUI, I'm
> completely oblivious to what it
On 09/24/2013 06:53 PM, Thomas Woerner wrote:
On 09/21/2013 12:22 AM, Chuck Anderson wrote:
On Fri, Sep 20, 2013 at 04:17:21PM +0200, Thomas Woerner wrote:
If a static firewall configuration fits your needs, just disable
firewalld and use the ip*tables firewall services:
https://fedoraproject.
On 09/21/2013 12:22 AM, Chuck Anderson wrote:
On Fri, Sep 20, 2013 at 04:17:21PM +0200, Thomas Woerner wrote:
If a static firewall configuration fits your needs, just disable
firewalld and use the ip*tables firewall services:
https://fedoraproject.org/wiki/FirewallD?rd=FirewallD/#Using_static_f
On 09/21/2013 12:08 AM, Mateusz Marzantowicz wrote:
On 20.09.2013 22:23, Björn Persson wrote:
Anyone can broadcast an SSID. How does FirewallD authenticate the
network connection?
FirewallD is not responsible for such authentication/AP validation.
Firewall as such is not meant to assure you'
- Original Message -
> From: Thomas Woerner
> Subject: Re: About F19 Firewall
> O.k., then please provide a program that places (user supplied) rules at
> the proper position in an (user supplied) rule set in that way that it
> will always result in the (user) expected be
On 09/24/2013 05:15 PM, P J P wrote:
Hello Thomas,
- Original Message -
From: Thomas Woerner
Subject: Re: About F19 Firewall
You have to make sure where you are adding new rules. Here is a simple
example where you want to drop everything from 192.168.1.18:
If you do it wrong if
Hi,
- Original Message -
> From: Thomas Woerner
> Subject: Re: About F19 Firewall
> Applications or daemons can only request changes to the firewall if they
> are authenticated.
Sure. But user authentication is function of the task an application performs
and not of
Hello Thomas,
- Original Message -
> From: Thomas Woerner
> Subject: Re: About F19 Firewall
> You have to make sure where you are adding new rules. Here is a simple
> example where you want to drop everything from 192.168.1.18:
>
> If you do it wrong if could end up
On 09/20/2013 10:10 PM, P J P wrote:
Hi,
- Original Message -
From: Thomas Woerner
Subject: Re: About F19 Firewall
If a static firewall configuration fits your needs, just disable
firewalld and use the ip*tables firewall services:
Static? Oh my...! Firewalld allows
On 09/20/2013 09:05 PM, P J P wrote:
Hi,
- Original Message -
From: Thomas Woerner
Subject: Re: About F19 Firewall
1) Separate zones.
NM connections, interfaces and source addresses or ranges can be bound
to zones. The initial default zone is public and all connections will be
Hi,
- Original Message -
> From: P J P
> Subject: Re: About F19 Firewall
>
> Static? Oh my...! Firewalld allows Applications, daemons and the user can
> request to enable a firewall feature over D-BUS. It does not seem like a good
> idea at all.
What happens
On Sat, Sep 21, 2013 at 12:40:15AM +0200, Björn Persson wrote:
> >> Anyone can broadcast an SSID. How does FirewallD authenticate the
> >> network connection?
> >FirewallD is not responsible for such authentication/AP validation.
> >Firewall as such is not meant to assure you're connecting to where
Mateusz Marzantowicz wrote:
>On 20.09.2013 22:23, Björn Persson wrote:
>> Anyone can broadcast an SSID. How does FirewallD authenticate the
>> network connection?
>
>FirewallD is not responsible for such authentication/AP validation.
>Firewall as such is not meant to assure you're connecting to whe
On Fri, Sep 20, 2013 at 04:17:21PM +0200, Thomas Woerner wrote:
> If a static firewall configuration fits your needs, just disable
> firewalld and use the ip*tables firewall services:
>
> https://fedoraproject.org/wiki/FirewallD?rd=FirewallD/#Using_static_firewall_rules_with_the_iptables_and_ip6ta
On 20.09.2013 22:23, Björn Persson wrote:
>
> Anyone can broadcast an SSID. How does FirewallD authenticate the
> network connection?
>
FirewallD is not responsible for such authentication/AP validation.
Firewall as such is not meant to assure you're connecting to where you want.
Mateusz Marza
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Fri, Sep 20, 2013 at 10:23:27PM +0200, Björn Persson wrote:
> Thomas Woerner wrote:
> >If for
> >example you are using wifi connections at home, work, .. you can bind
> >these to the (for you) appropriate zone. For example work for your
> >work wi
Hi,
- Original Message -
> From: Thomas Woerner
> Subject: Re: About F19 Firewall
> If a static firewall configuration fits your needs, just disable
> firewalld and use the ip*tables firewall services:
Static? Oh my...! Firewalld allows Applications, daemons and
Thomas Woerner wrote:
>If for
>example you are using wifi connections at home, work, .. you can bind
>these to the (for you) appropriate zone. For example work for your
>work wifi connection. It will be used only if you are connecting to
>your work wifi connection (it is bound to the SSID).
Anyone
Hi,
- Original Message -
> From: Thomas Woerner
> Subject: Re: About F19 Firewall
> 1) Separate zones.
> NM connections, interfaces and source addresses or ranges can be bound
> to zones. The initial default zone is public and all connections will be
> bound to t
On Fri, Sep 20, 2013 at 03:12:30PM +, "Jóhann B. Guðmundsson" wrote:
> Do you have list somewhere of python dependent code in the core/baseOS?
Yes, I do. It's:
firewalld
yum
(In the cloud image, we also have cloud-init, though..)
--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁
-
On Fri, Sep 20, 2013 at 06:12:56PM +0200, Phil Knirsch wrote:
> same for yum via dnf. That only leaves authconfig, which should be
> doable as well (just needs someone actually doing it).
There's really no need for authconfig in the minimal. It needs to be there
for initial configuration, but in m
On Fri, Sep 20, 2013 at 06:07:17PM +0200, Phil Knirsch wrote:
> rpm -q --whatrequires "python(abi)" --qf "%{NAME}\n" | sort
> gives me this list:
[...]
> authconfig
Oops I forgot that one.
[...]
> So there's quite a bit of other stuff that still requires python as
> well apart from firewalld.
I
On 09/20/2013 05:12 PM, "Jóhann B. Guðmundsson" wrote:
On 09/20/2013 02:15 PM, Matthew Miller wrote:
On Tue, Sep 17, 2013 at 04:50:06PM +0200, Mateusz Marzantowicz wrote:
It's written in Python and so what? Interpreted languages like Perl and
Bash are widely used in Linux world to implement man
On Fri, Sep 20, 2013 at 04:30:05PM +0200, Thomas Woerner wrote:
> We are already working towards a rewrite in C for firewalld and
> firewall-cmd.
Awesome -- I know you'd mentioned this but I'm glad to hear that it's in
progress. I'd still _really_ like a way to have a non-long-running mode.
> fi
On 09/20/2013 06:07 PM, Phil Knirsch wrote:
On 09/20/2013 05:12 PM, "Jóhann B. Guðmundsson" wrote:
On 09/20/2013 02:15 PM, Matthew Miller wrote:
On Tue, Sep 17, 2013 at 04:50:06PM +0200, Mateusz Marzantowicz wrote:
It's written in Python and so what? Interpreted languages like Perl and
Bash ar
On 09/20/2013 02:15 PM, Matthew Miller wrote:
On Tue, Sep 17, 2013 at 04:50:06PM +0200, Mateusz Marzantowicz wrote:
It's written in Python and so what? Interpreted languages like Perl and
Bash are widely used in Linux world to implement many tools. I don't buy
argumentation that if something is
On 09/20/2013 04:15 PM, Matthew Miller wrote:
On Tue, Sep 17, 2013 at 04:50:06PM +0200, Mateusz Marzantowicz wrote:
It's written in Python and so what? Interpreted languages like Perl and
Bash are widely used in Linux world to implement many tools. I don't buy
argumentation that if something is
Am 20.09.2013 15:59, schrieb Thomas Woerner:
>> Multicast
>> DNS is allowed in the internal network(chain IN_internal_allow). I
>> guess IN_internal_allow is meant for some closed group internal
>> network, not sure.
>>
>> ACCEPT udp -- 0.0.0.0/0224.0.0.251 udp
On 09/18/2013 08:16 AM, P J P wrote:
Hello,
- Original Message -
From: Mateusz Marzantowicz
Subject: Re: About F19 Firewall
Maybe, true but I doubt that simpler set of rules, that never get
audited, written by inexperienced users are more secure than "complex"
rules in
On 09/17/2013 07:21 AM, P J P wrote:
- Original Message -
From: P J P
Subject: About F19 Firewall
It doesn't have to be so complicated that even if one tries to understand it,
he/she can not. :(
This small script seems to work good.
===
#!/bin/sh
#
# fw.sh: a basic drop unless
On Tue, Sep 17, 2013 at 04:50:06PM +0200, Mateusz Marzantowicz wrote:
> It's written in Python and so what? Interpreted languages like Perl and
> Bash are widely used in Linux world to implement many tools. I don't buy
> argumentation that if something is not implemented in C it sucks.
It's not th
Hello,
On 09/16/2013 07:55 AM, P J P wrote:
Hello Tomasz,
- Original Message -
From: Tomasz Torcz
Subject: Re: About F19 Firewall
You seem to have missed this Fedora *18* feature:
https://fedoraproject.org/wiki/Features/firewalld-default
firewall-cmd is supposed to isolate
On 09/15/2013 08:52 PM, P J P wrote:
Hi,
I upgraded to F19 recently. And I happened to look at the output of iptables(8)
today.
$ iptables -nL
It's baffling! It's crazy 4 pages long listing!!
Why
are there so many chains? Most are empty. Those which have rules, jump
from one chai
Hello,
- Original Message -
> From: Mateusz Marzantowicz
> Subject: Re: About F19 Firewall
>
> Maybe, true but I doubt that simpler set of rules, that never get
> audited, written by inexperienced users are more secure than "complex"
> rules in FirewallD
On 17.09.2013 15:02, Kevin Kofler wrote:
> P J P wrote:
>> Hmmn, it should have been a package for user to install at will, rather
>> than a replacement of an understandable firewall.
>
> +1, the fact that this is opt-out rather than opt-in (even for upgrades from
> Fedora ≤ 17 – I had to go out
P J P wrote:
> Hmmn, it should have been a package for user to install at will, rather
> than a replacement of an understandable firewall.
+1, the fact that this is opt-out rather than opt-in (even for upgrades from
Fedora ≤ 17 – I had to go out of my way to disable that "feature"
immediately af
On 09/15/2013 08:52 PM, P J P wrote:
Why are there so many chains? Most are empty. Those which have rules, jump
from one chain to another and that jumps to yet another.
https://bugzilla.redhat.com/show_bug.cgi?id=907375#c2
Multicast DNS is allowed in the internal network(chain IN_internal_all
On 17.09.2013 12:31, Nicolas Mailhot wrote:
>
> Le Mar 17 septembre 2013 11:33, Björn Persson a écrit :
>> Mateusz Marzantowicz wrote:
>>> Wireless networks have unique "names" and are represented as different
>>> connections on NetworkManager (network connection != interface). For
>>> network nam
Le Mar 17 septembre 2013 11:33, Björn Persson a écrit :
> Mateusz Marzantowicz wrote:
>>Wireless networks have unique "names" and are represented as different
>>connections on NetworkManager (network connection != interface). For
>>network named "MyHomeNet" one can associate Home zone in NetworkMa
On 09/17/2013 11:33 AM, Björn Persson wrote:
Mateusz Marzantowicz wrote:
Wireless networks have unique "names" and are represented as different
connections on NetworkManager (network connection != interface). For
network named "MyHomeNet" one can associate Home zone in NetworkManager
and for net
Mateusz Marzantowicz wrote:
>Wireless networks have unique "names" and are represented as different
>connections on NetworkManager (network connection != interface). For
>network named "MyHomeNet" one can associate Home zone in NetworkManager
>and for network "CoffeShowHotSpot" one assigns Public z
Hi Mateusz,
- Original Message -
> From: Mateusz Marzantowicz
> Subject: Re: About F19 Firewall
>
> Wireless networks have unique "names" and are represented as different
> connections on NetworkManager (network connection != interface). For
> netwo
On 16.09.2013 07:55, P J P wrote:
>Hello Tomasz,
>
> - Original Message -
>> From: Tomasz Torcz
>> Subject: Re: About F19 Firewall
>> You seem to have missed this Fedora *18* feature:
>> https://fedoraproject.org/wiki/Features/firewalld-default
- Original Message -
> From: P J P
> Subject: About F19 Firewall
> It doesn't have to be so complicated that even if one tries to understand it,
> he/she can not. :(
This small script seems to work good.
===
#!/bin/sh
#
# fw.sh: a basic drop unless allowed firewall.
FW='iptables -t
Hello Tomasz,
- Original Message -
> From: Tomasz Torcz
> Subject: Re: About F19 Firewall
> You seem to have missed this Fedora *18* feature:
> https://fedoraproject.org/wiki/Features/firewalld-default
> firewall-cmd is supposed to isolate user from all this c
On Mon, Sep 16, 2013 at 02:52:07AM +0800, P J P wrote:
> Hi,
>
> I upgraded to F19 recently. And I happened to look at the output of
> iptables(8) today.
>
> $ iptables -nL
>
> It's baffling! It's crazy 4 pages long listing!!
You seem to have missed this Fedora *18* feature:
https://
58 matches
Mail list logo
