----- Original Message -----
Bastien Nocera wrote:
> Security is about compromises. The net result of the old firewall settings
> was people disabling the firewall.
And the net result of the new firewall settings is you disabling the
firewall for them,
It's not disabled.
and also for all those people out there (like me) who
were NOT disabling the firewall. (Thankfully, I'm not using the GNOME
Workstation, nor firewalld (but the old iptables.service), so I won't get
this "improvement".)
So why are you complaining exactly?
> The new firewall settings were vouched for by the firewalld
folks, and
> provide good defaults for most users.
The new firewall settings essentially amount to disabling the firewall.
It doesn't.
The only ports they protect are those controlled by root anyway, and
there
is nothing listening on those ports by default (except SSH, which your
firewall rules also let through, but that was already the case before).
There's a few more items that will be opened I'm afraid. And one of the reasons
why we block root ports is to avoid regressions like rpcbind listening
by default, which was due to a bug in packaging. So what you call "no firewall"
would actually have prevented the potential security hole.