[pulseaudio-discuss] Pull request: Autospawn fix

[Lennart Poettering]

On Thu, 14.01.10 09:16, Colin Guthrie (gmane at colin.guthr.ie) wrote:

> 
> 'Twas brillig, and Kevin Fox at 14/01/10 00:43 did gyre and gimble:
> > devices", why not "Poke hole in local firewall"?
> 
> Is there a standard way to do this? I guess running ip[6]tables directly
> would work if you had root permissions.... is there some kind of
> framework (via presumably policykit) to achieve this?

Meh.

This is precisely why I think that "personal" firewalls are
madness. If you allow applications to poke holes into the firewall
whenever they want them why have the firewall in the first place? An
app normally just calls listen() to accept connections on a TCP
port. All those stupid schemes where apps are now supposed to ask for
an additional hole in the fw simply make this more complex so that it
becomes listen()+some_stupid_complex_dbus_call() or suchlike. And the
effect will be exactly the same: when the app wants the port it gets it.

Say NO! to personal firewalls. It creates a fake sense of security and
adds complexity and error sources.

If you want to regulate which process gets to listen on the network
then use a more useful security system, such as SELinux or
suchlike. But a firewall is simply not suitable.

I know that admins love their firewalls, but uh, just because that is
a tool they understand they shouldn't extrapolate it is useful for
more than let's say network border control and maybe
laptop-in-a-internet-cafe profile lockdown. 

Anyway, this is mostly off-topic. 

Lennart

-- 
Lennart Poettering                        Red Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/           GnuPG 0x1A015CC4