Adam Williamson
2008-09-16 16:49:11 UTC
Hi, folks.
Lately I've been exercising my tiny brain about firewalls. :) Namely,
what do we do about the bloody things when people have one?
Most of you probably know or have observed by now that you can't do
anything useful with synce if you've got a fairly normal firewall setup.
This is of course because the device is a network interface and your
firewall helpfully blocks the bad, evil communications with it. So to do
anything useful with synce you need the following ports to be opened for
the WM device interface:
990/tcp 999/tcp 5678/tcp 5721/tcp 26675/tcp
that's for WM5+. For WM2003 and earlier I think 5679 is also needed (not
sure if that's UDP or TCP, sources seem to conflict).
Now I'm scratching my head about how to go about this.
Option 1 - do nothing about it in software and just write details on how
to open those ports into the How To Synchronize Your Phone guides we
have lying around everywhere. This sucks for hopefully obvious
reasons. :)
Option 2 - I can add this to our (Mandriva's) firewall configuration GUI
(it's very simple) so you can just run drakfirewall, click on a box,
click OK three times, and your sync works. But:
* This still requires interaction.
* It's kinda inelegant and non-obvious - you'll probably have to read
some kind of documentation to figure it out.
* It opens the ports for *all* interfaces, not just the synce interface.
Option 3 - we could stick an iptables command in the HAL scripts.
This is very possibly utter crack, and please do let me know if it is.
But it seems to be we can run a very generic iptables command in the HAL
scripts when a device is plugged in, to open those ports for the synce
interface. It would not require any user interaction - it would 'just
work' when they plugged in the device. It only opens the ports for the
synce interface, not for the other network interfaces on the system. And
it should be compatible with most 'firewalls', as just about every Linux
firewall is really just a front end for iptables when you get down to
it.
Drawbacks: as I said, it may be just crack. I don't know if you're
*supposed* to go around firing off non-interactive iptables commands in
HAL. Someone may be coming to kill for me for suggesting it even as I
speak. It definitely looks, walks, smells and sounds like a hack at the
very least.
jc2k points out that as far as we know, most 'firewalls' (that is,
iptables front ends) tend to just wipe out the entire iptables
configuration and create it from scratch whenever they're fired up or
their configuration is changed. So if the user does anything to trigger
a firewall configuration update after plugging in their device, it will
probably wipe out the rule.
I pointed out that at least this would respond to the classic end-user
solution: unplug it and plug it in again. That'd fix it, because the
rule would be re-created.
There may be some kind of security problem with this.
There's probably lots of other drawbacks, do feel free to point them
out. :) But I wanted to at least float the idea for feedback. What does
anyone think we should do about this - besides writing FirewallKit? :)
Lately I've been exercising my tiny brain about firewalls. :) Namely,
what do we do about the bloody things when people have one?
Most of you probably know or have observed by now that you can't do
anything useful with synce if you've got a fairly normal firewall setup.
This is of course because the device is a network interface and your
firewall helpfully blocks the bad, evil communications with it. So to do
anything useful with synce you need the following ports to be opened for
the WM device interface:
990/tcp 999/tcp 5678/tcp 5721/tcp 26675/tcp
that's for WM5+. For WM2003 and earlier I think 5679 is also needed (not
sure if that's UDP or TCP, sources seem to conflict).
Now I'm scratching my head about how to go about this.
Option 1 - do nothing about it in software and just write details on how
to open those ports into the How To Synchronize Your Phone guides we
have lying around everywhere. This sucks for hopefully obvious
reasons. :)
Option 2 - I can add this to our (Mandriva's) firewall configuration GUI
(it's very simple) so you can just run drakfirewall, click on a box,
click OK three times, and your sync works. But:
* This still requires interaction.
* It's kinda inelegant and non-obvious - you'll probably have to read
some kind of documentation to figure it out.
* It opens the ports for *all* interfaces, not just the synce interface.
Option 3 - we could stick an iptables command in the HAL scripts.
This is very possibly utter crack, and please do let me know if it is.
But it seems to be we can run a very generic iptables command in the HAL
scripts when a device is plugged in, to open those ports for the synce
interface. It would not require any user interaction - it would 'just
work' when they plugged in the device. It only opens the ports for the
synce interface, not for the other network interfaces on the system. And
it should be compatible with most 'firewalls', as just about every Linux
firewall is really just a front end for iptables when you get down to
it.
Drawbacks: as I said, it may be just crack. I don't know if you're
*supposed* to go around firing off non-interactive iptables commands in
HAL. Someone may be coming to kill for me for suggesting it even as I
speak. It definitely looks, walks, smells and sounds like a hack at the
very least.
jc2k points out that as far as we know, most 'firewalls' (that is,
iptables front ends) tend to just wipe out the entire iptables
configuration and create it from scratch whenever they're fired up or
their configuration is changed. So if the user does anything to trigger
a firewall configuration update after plugging in their device, it will
probably wipe out the rule.
I pointed out that at least this would respond to the classic end-user
solution: unplug it and plug it in again. That'd fix it, because the
rule would be re-created.
There may be some kind of security problem with this.
There's probably lots of other drawbacks, do feel free to point them
out. :) But I wanted to at least float the idea for feedback. What does
anyone think we should do about this - besides writing FirewallKit? :)
--
adamw
adamw