Firewall rules

[sp1ritCS]

Is it possible for dragit to automatically punch holes into firewalld, if it has to listen to a specific port?

I know that gnome-network-displays are doing something like this, might be a good idea to look at them and how they do it.

[sireliah]

It's great idea, I'll research that!

[sireliah]

It seems that gnome-network-displays adds new firewalld zone automatically:

https://gitlab.gnome.org/GNOME/gnome-network-displays/-/issues/134 https://gitlab.gnome.org/GNOME/gnome-network-displays/-/commit/c2a81a501ec1eb231c05dd47416fe935d6573c13

[sp1ritCS]

But they are changing to that new zone at runtime if it isn't enabled. https://gitlab.gnome.org/GNOME/gnome-network-displays/-/commit/fed0e1311e89f229cc683abb5c3f9a996fbeb0a3

[sireliah]

Yeah, I see what they are doing there. They indeed expect the zone to be there and in case it is not, they create it. It seems that they operate on fixed port.

The interface they use to communicate with the firewalld is D-Bus. We could do the same, since there are pretty good D-Bus bindings for Rust, however there are is a gotcha here:

• Talking to firewalld requires elevated privileges from the user. That is, user will be prompted for a password in case there is a zone config that doesn't allow Dragit to work (I think this is implied by G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION flag. We should be smart here and prompt user only if this is absolutely necessary, so when there are rules that would block libp2p or mdns traffic.
• We should clearly explain why Dragit demands those privileges and what it will do to the user's computer.
• Dragit uses random ports for p2p communication. It might be better to use fixed ones to make firewalld integration easier.
• In context of Flatpak application - maybe it's not an issue, but using D-Bus to change settings of the host system is yet another hole in the sandbox. Docs don't say it's bad, but you know.

Having said that, I'll run some tests with my local firewalld and see if there are any potential problems.

[sp1ritCS]

there are pretty good D-Bus bindings for Rust

if you're talking about zbus, absolutely. dbus-rs not so much :D

We should clearly explain why Dragit demands those privileges and what it will do to the user's computer.

well, if I remember correctly, gnome-network-displays shows a similar polkit authentication dialog as firewall-config itself: I think it should be fairly obvious with that message that dragit needs to modify the firewall zone.

In context of Flatpak application - maybe it's not an issue, but using D-Bus to change settings of the host system is yet another hole in the sandbox. Docs don't say it's bad, but you know

well, I guess it's better than not working at all ¯\_(ツ)_/¯

[sireliah]

@sp1ritCS I'm not quite done with the code yet, but it would be great if you could take a look at this PR and particularly firewall module. I implemented adding mdns service and fixed Dragit port in case it's not available in runtime config.

[sireliah]

Closing the issue. The next release (including Flatpak) will contain the change!

[nekohayo]

Potential follow-up idea in issue #32, in case @sp1ritCS is interested.