MacOS has firewall disabled by default on every iteration.
Luya
On 2019-08-27 4:23 p.m., John Harris wrote:
> On Tuesday, August 27, 2019 8:23:01 AM MST Chris Murphy wrote:
>> On Tue, Aug 27, 2019 at 6:22 AM Neal Gompa <ngompa13@gmail.com> wrote:
>>
>>>
>>>
>>> The other major non-Linux operating systems do. Both Microsoft Windows
>>> and Apple macOS ship with active firewalls by default.
>>
>>
>> The firewall on macOS is disabled by default. Therefore I can't agree
>> with any assessment that Fedora Workstation is, on this point alone,
>> in some sort of vulnerable state outside that of macOS.
>>
>> Windows is enable by default with two "zones" or "policies" (I can't
>> even tell from their own UI what to call this), one for private
>> networks, and another for guest/public networks.
>
> I don't have a mac, so I can't confirm this, but Apple suggests that there's
> nothing bound to listen by default. If that's the case, and I imagine it's
> difficult to run real software on Mac which might bind stuff (because of those
> "app" things they've got, I presume), that might be a legitimate thing for
> Macs. We're not Apple, and we're not rolling out MacOS. I personally believe
> that's a horrible idea for Mac systems as well, even if they don't bind
> anything by default, which we do.
>
> By default, Windows 10 enterprise has the following firewall zones:
> Public
> Private
> Home
> Work
> Domain
>
>>> Those are the
>>>
>>> real competitors, and they have a good UX for firewall handling so
>>> that users can Do The Right Thing(TM).
>>
>>
>> For Windows and macOS, when firewall is enabled, an application that
>> tries to open a port against the firewall's policy, causes a dialog to
>> appear. The user needs to read that, and make a decision. A valid
>> subjective case can be made that this is janky, as if the UI itself is
>> saying: "I dunno if this network is trustworthy! Do you know if it's
>> trustworthy?!" Without any further way of informing the user how to
>> determine this. They are both a buck passing interface. And that's
>> fine for some users, but definitely not fine for others.
>
> This sounds like a misunderstanding as to what firewalls, and the various
> types of firewalls, are. By default, Fedora uses firewalld, which is not an
> application firewall, which is what you've described. "I dunno if this network
> is trustworthy! Do you know if it's trustworthy?!" is a legitimate decision
> for the end user or sysadmin to make. It is not "a buck passing interface",
> the Fedora install has no possible way to know. The end user or sysadmin
> would.
>