MacOS has firewall disabled by default on every iteration.

Luya

On 2019-08-27 4:23 p.m., John Harris wrote:
> On Tuesday, August 27, 2019 8:23:01 AM MST Chris Murphy wrote: >> On Tue, Aug 27, 2019 at 6:22 AM Neal Gompa <ngompa13@gmail.com> wrote: >> >>> >>> >>> The other major non-Linux operating systems do. Both Microsoft Windows >>> and Apple macOS ship with active firewalls by default. >> >> >> The firewall on macOS is disabled by default. Therefore I can't agree >> with any assessment that Fedora Workstation is, on this point alone, >> in some sort of vulnerable state outside that of macOS. >> >> Windows is enable by default with two "zones" or "policies" (I can't >> even tell from their own UI what to call this), one for private >> networks, and another for guest/public networks. > > I don't have a mac, so I can't confirm this, but Apple suggests that there's > nothing bound to listen by default. If that's the case, and I imagine it's > difficult to run real software on Mac which might bind stuff (because of those > "app" things they've got, I presume), that might be a legitimate thing for > Macs. We're not Apple, and we're not rolling out MacOS. I personally believe > that's a horrible idea for Mac systems as well, even if they don't bind > anything by default, which we do. > > By default, Windows 10 enterprise has the following firewall zones: > Public > Private > Home > Work > Domain > >>> Those are the >>> >>> real competitors, and they have a good UX for firewall handling so >>> that users can Do The Right Thing(TM). >> >> >> For Windows and macOS, when firewall is enabled, an application that >> tries to open a port against the firewall's policy, causes a dialog to >> appear. The user needs to read that, and make a decision. A valid >> subjective case can be made that this is janky, as if the UI itself is >> saying: "I dunno if this network is trustworthy! Do you know if it's >> trustworthy?!" Without any further way of informing the user how to >> determine this. They are both a buck passing interface. And that's >> fine for some users, but definitely not fine for others. > > This sounds like a misunderstanding as to what firewalls, and the various > types of firewalls, are. By default, Fedora uses firewalld, which is not an > application firewall, which is what you've described. "I dunno if this network > is trustworthy! Do you know if it's trustworthy?!" is a legitimate decision > for the end user or sysadmin to make. It is not "a buck passing interface", > the Fedora install has no possible way to know. The end user or sysadmin > would. >