Shawn Milo wrote:
> I tried to connect to a network share using the Gnome "connect to
> server" tool,
> but I could not. I disabled the firewall, and all is working.
>
> I brought up the firewall tool under System Settings/Security level, and
> there are
> no options there to enable or disable anything other than www, ftp, ssh,
> telnet, and
> smtp.
>
> Do I just have to know, or find out, the port(s) used by smb?
Try ports 137 to 139 and 445 to begin with.
> Is there any way that,
> when a server or a port tries to make a connection for the first time, I
> can be prompted,
> the way other firewalls work, such as ZoneAlarm?
... "other" firewalls.
ZoneAlarm et al are the exception: most other firewalls, and all the big
ones, work the way that Linux does, based on ports. The thing is, if a
firewall is to protect more than one machine, all it will see is the IP
connection. Doing what ZoneAlarm does requires an ... intimate
relationship with the TCP stack on a machine, and a way of allowing
certain processes to access it, but not others.
That's not how the traditional Unix (= BSD, in this case) network stack
works, and I don't believe there is support in the standard Linux kernel
for it.
SELinux would probably enable such a thing, but at the moment, SELinux
is still at infrastructure stage. You could enable SELinux on FC2 (what
you would need should already be installed or at most a yum install
away) and write your own policies, but this is notoriously difficult to
get right. Fedora tried it for FC2 test, turned it into a non-standard
install option for FC2 itself, and are going back to a policy that
merely targets certain server programs for FC3.
At some point, there will probably be a nice GUI to help you tweak the
permissions on a task-by-task basis, but I'm not aware of any, yet.
James.
--
E-mail address: james | So what would happen if an Enterprise security team,
@westexe.demon.co.uk | who always get killed soon after appearing, fought a
| squad of Imperial Stormtroopers, who can't hit the
| broad side of a planet?
