<div dir="ltr">Hello,<br><div><div class="gmail_extra"><div class="gmail_quote">2014-04-16 14:28 GMT+02:00 Josh Boyer <span dir="ltr"><<a href="mailto:jwboyer@fedoraproject.org" target="_blank">jwboyer@fedoraproject.org</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">For a quick summary:<br>
<br>
1) With a firewall enabled, network services don't work without manual<br>
intervention.<br></blockquote><div><br></div><div>To be perfectly clear, vast majority of network applications work perfectly fine. Network <i>servers</i> need manual intervention.<br><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
2) With firewalld active, any privileged application can open a port<br>
in the firewall (and most will be privileged because they will be<br>
packaged that way.)<br></blockquote><div><br></div><div>No; most applications are not packaged in any way to get extra privilege to manage a firewall, and they <i>shouldn't</i>; applications poking holes in a firewall for themselves is pointless cargo-cult nonsense.<br>
<br></div><div>Some <i>user accounts</i> (members of wheel) are set up to be sufficiently privileged/root-equivalent so that they can open a port, but they really <i>are</i> root-equivalent so the specifics of what they can do to the firewall are not much relevant... at that point you really either trust all software you run, or not.<br>
<br></div><div>There <i>could</i> be applications specifically dexigned to open a port in the firewall even for unprivileged users (e.g. by having a separate privileged helper talk to firewalld), I don't think there actually are any.<br>
<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
3) With no firewall enabled and no network services started, there is<br>
no security issue because there are no open ports.<br></blockquote><div><br>There still are all the security issues with outgoing communication; in particular, the browser does matter (much more than say portmap) and the firewall cannot protect it.<br>
<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
4) With no firewall but active network services, you have open ports<br>
just as you would in the firewalld or manual intervention firewall<br>
case<br></blockquote><div><br></div><div>No because 2) is false... or yes for the wheel-member users. <br></div><div> Mirek<br></div></div></div></div></div>