Re: GUPnP and Zones

[Mark Ryan <mark d ryan linux intel com>]

Hi Ludo,

On 04/23/2013 05:38 PM, Ludovic Ferrandis wrote:
> The main goal of Network Zone, it to manage the firewall rules
> differently, depending of the 'Zone' selected.
> In case we are working with a network manager that support Network Zone,
> we don't have anything to do. I explain.
>
> Everything could be done just by changing the firewall rules. Ex:

What I think we really need to provide is a sensible and secure set of 
defaults that apply to the entire DLNA stack.  So, by default, user 
content should not be shared on unsafe networks and the user is not put 
at risk by allowing DLNA applications to function on insecure networks. 
 And all this should happen automatically without any user 
configuration, where possible.

Now I must admit that I don't know anything about firewalls, but having 
said that, I'm not sure relying on low level firewall configurations is 
the best way to achieve this aim.

For example, who will configure the correct firewall settings for 
UPnP/DLNA?  Will this be done by the user or do we expect the the 
various distros to do this?  How do we ensure that these settings do not 
break other applications or services that are secure and don't need 
firewall protection?  How do we ensure that the UPnP settings are not 
overruled by settings for other applications or services, leaving our 
components vulnerable.

I could be wrong here, but it seems to me that making a few changes to 
the various context managers to recognise zones, would be an easier, 
safer and more efficient way of protecting our users.

Regards,

Mark