mcatanzaro(a)gnome.org writes:
> Well the thing is, blocknig ports tends to break applications that want
> to use those ports. We're not going to do that, period. It also doesn't
> really accomplish anything: either your app or service needs network
> access and you have whitelisted it (in which case the firewall provides
> no security), or it needs network access and you have not whitelisted
> it (in which case your firewall breaks your app/service). In no case
> does it increase your security without breaking your app, right? Unless
> you have malware installed (in which case, you have bigger problems
> than the firewall). Or unless you have a vulnerable network service
> installed that you don't want (in which case, uninstall it).
>
>
>
> So if you want to change the firewall settings, you'd need to
> completely rethink how the firewall works. And nobody seems interested
> in doing that. We could e.g. have a list of apps that are allowed
> network access, but then we'd need some form of attestation so apps
> can't impersonate each other. So only sandboxed (flatpaked) apps could
> use this hypothetical new firewall. And we surely don't want to have
> yes/no permission prompts, so we can't really ask the user "do you want
> your app to access the network?" (the user will almost always say
> yes).
For what it's worth, macOS started doing exactly that recently.
I agree it seems useless, except for one thing. Sometimes, you realize
that some app is opening a port when you don't expect it.
> I'm not really sure what design would even work.
>
>
>
> Avoiding unnecessary network services makes more sense.
>
>
>
> On Mon, Aug 26, 2019 at 3:45 PM, Alexander Ploumistos
> <alex.ploumistos(a)gmail.com> wrote:
>
>>
>>
>> As a matter of fact, you did:
>> <
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.
>> org/thread/3LHDQD5HCZMPV6O4LZRSKTVEIKEFJIBY/#3LHDQD5HCZMPV6O4LZRSKTVEIKEF
>> JIBY>
>> <
https://docs.fedoraproject.org/en-US/Fedora/21/html/Release_Notes/sect->
>> Products.html#idm225474210784>>
>
>
> Thanks for dredging up these links!
>
>
>
> Michael
>
>
>
> _______________________________________________
> devel mailing list -- devel(a)lists.fedoraproject.org
> To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
Thing is, binding a port and expecting it to be open to every network
interface you've got are two very different things.
--
John M. Harris, Jr. <johnmh(a)splentity.com>
Splentity