8:02 a.m.
Hey guys,
given that there is quite heated discussion about open by default firewall, is this
something we want to contribute to (as a team) ? Do you think we a) can and b) should come
with a statement and join the discussion ?
We started looking into making fedora more secure with PermitRootLogin and this case seems
similar (though with opposite outcome).
--
Jan Rusnacko, Red Hat Product Security
8:28 a.m.
I think I missed what the discussion is all about.
What is the gist of the "open by default firewall" discussion?
--
finid
On 2014-12-09 08:02, Jan Rusnacko wrote:
Hey guys,
given that there is quite heated discussion about open by default
firewall, is this something we want to contribute to (as a team) ? Do
you think we a) can and b) should come with a statement and join the
discussion ?
We started looking into making fedora more secure with PermitRootLogin
and this case seems similar (though with opposite outcome).
8:33 a.m.
Firewalld in F21 workstation will have opened all tcp and udp ports above 1024.
On 12/09/2014 03:28 PM, finid(a)vivaldi.net wrote:
I think I missed what the discussion is all about.
What is the gist of the "open by default firewall" discussion?
--
finid
On 2014-12-09 08:02, Jan Rusnacko wrote:
> Hey guys,
>
> given that there is quite heated discussion about open by default
> firewall, is this something we want to contribute to (as a team) ? Do
> you think we a) can and b) should come with a statement and join the
> discussion ?
>
> We started looking into making fedora more secure with PermitRootLogin
> and this case seems similar (though with opposite outcome).
_______________________________________________
security-team mailing list
security-team(a)lists.fedoraproject.org
https://lists.fedoraproject.org/mailman/listinfo/security-team
--
Jan Rusnacko, Red Hat Product Security
8:40 a.m.
What was the justification? I can understand not interfering with outbound
ports greater than 1024. However, inbound SYN requests should only be
allowed to specific ports (in some cases, from defined sources). In other
words, enumerate the good and deny by default.
- Tim
On Dec 9, 2014 9:33 AM, "Jan Rusnacko" <jrusnack(a)redhat.com> wrote:
Firewalld in F21 workstation will have opened all tcp and udp ports
above
1024.
On 12/09/2014 03:28 PM, finid(a)vivaldi.net wrote:
> I think I missed what the discussion is all about.
>
> What is the gist of the "open by default firewall" discussion?
>
>
> --
> finid
>
>
> On 2014-12-09 08:02, Jan Rusnacko wrote:
>> Hey guys,
>>
>> given that there is quite heated discussion about open by default
>> firewall, is this something we want to contribute to (as a team) ? Do
>> you think we a) can and b) should come with a statement and join the
>> discussion ?
>>
>> We started looking into making fedora more secure with PermitRootLogin
>> and this case seems similar (though with opposite outcome).
> _______________________________________________
> security-team mailing list
> security-team(a)lists.fedoraproject.org
> https://lists.fedoraproject.org/mailman/listinfo/security-team
--
Jan Rusnacko, Red Hat Product Security
_______________________________________________
security-team mailing list
security-team(a)lists.fedoraproject.org
https://lists.fedoraproject.org/mailman/listinfo/security-team
8:49 a.m.
Well, why is that necessary, and how is it better than the current
configuration?
Best security practice dictates that a firewall, by default, should be
configured in such a manner that everything is allowed out, but nothing
in, except those that are related to outgoing connections.
Any default configuration that differs from that does not contribute to
the security of a system.
Just my $0.02.
--
finid
On 2014-12-09 08:33, Jan Rusnacko wrote:
Firewalld in F21 workstation will have opened all tcp and udp ports
above 1024.
On 12/09/2014 03:28 PM, finid(a)vivaldi.net wrote:
> I think I missed what the discussion is all about.
>
> What is the gist of the "open by default firewall" discussion?
>
>
> --
> finid
>
>
> On 2014-12-09 08:02, Jan Rusnacko wrote:
>> Hey guys,
>>
>> given that there is quite heated discussion about open by default
>> firewall, is this something we want to contribute to (as a team) ? Do
>> you think we a) can and b) should come with a statement and join the
>> discussion ?
>>
>> We started looking into making fedora more secure with
>> PermitRootLogin
>> and this case seems similar (though with opposite outcome).
> _______________________________________________
> security-team mailing list
> security-team(a)lists.fedoraproject.org
> https://lists.fedoraproject.org/mailman/listinfo/security-team
8:52 a.m.
Really? Isn't established,related enough for the majority of uses?
Given firewald's integration and ability to do on-the-fly firewall rules
you would think you could just enable specific use cases at user request
(or even at app launch).
What use case were they coming up with needing all ports inbound open?
Telephony/Video conference?
Leaving it wide open on an untrusted network leaves a huge hole for
possible exploit. I'm thinking users setting up default DB instances,
all sorts of software with possible elevated privs might bind to high
ports by default.
Yuck,
David
On 12/09/2014 09:33 AM, Jan Rusnacko wrote:
Firewalld in F21 workstation will have opened all tcp and udp ports
above 1024.
On 12/09/2014 03:28 PM, finid(a)vivaldi.net wrote:
> I think I missed what the discussion is all about.
>
> What is the gist of the "open by default firewall" discussion?
>
>
> --
> finid
>
>
> On 2014-12-09 08:02, Jan Rusnacko wrote:
>> Hey guys,
>>
>> given that there is quite heated discussion about open by default
>> firewall, is this something we want to contribute to (as a team) ? Do
>> you think we a) can and b) should come with a statement and join the
>> discussion ?
>>
>> We started looking into making fedora more secure with PermitRootLogin
>> and this case seems similar (though with opposite outcome).
> _______________________________________________
> security-team mailing list
> security-team(a)lists.fedoraproject.org
> https://lists.fedoraproject.org/mailman/listinfo/security-team
8:41 a.m.
Hi,
Obviously having the firewall disabled by default is not a good idea. If there is already
a lack of control in the firewall rules to virtual machines that we use on a daily basis
for development /management/tests...
For a "desktop user" is even a bad idea. It is common to use automatic discovery
protocols for multimedia devices,P2P,gateways, etc. But always trusted networks. So it
makes more sense to have specific profiles according to the network, eg: Do you really
trust the wireless network in a coffee shop? an airport? I do not think so.
A firewall is not just a port filtering, also avoids problems of traffic management
network, spoofing attacks, etc.
Francisco Alonso / Red Hat Product Security
PGP: 0xA026440E 0825 020C 7A5A 4F86 9038 B1C8 5562 688F A026 440E
----- Original Message -----
From: "Jan Rusnacko" <jrusnack(a)redhat.com>
To: "security-team" <security-team(a)lists.fedoraproject.org>
Sent: Tuesday, December 9, 2014 3:02:45 PM
Subject: Ongoing open-firewall discussion
Hey guys,
given that there is quite heated discussion about open by default firewall,
is this something we want to contribute to (as a team) ? Do you think we a)
can and b) should come with a statement and join the discussion ?
We started looking into making fedora more secure with PermitRootLogin and
this case seems similar (though with opposite outcome).
--
Jan Rusnacko, Red Hat Product Security
_______________________________________________
security-team mailing list
security-team(a)lists.fedoraproject.org
https://lists.fedoraproject.org/mailman/listinfo/security-team
9:41 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Tue, Dec 09, 2014 at 03:02:45PM +0100, Jan Rusnacko wrote:
Hey guys,
given that there is quite heated discussion about open by default firewall, is this
something we want to contribute to (as a team) ? Do you think we a) can and b) should come
with a statement and join the discussion ?
Moving this to the general security list...
Did FESCo really approve this? I can't imagine someone actually approving such a dumb
request.
- -- Eric
- --------------------------------------------------
Eric "Sparks" Christensen
Fedora Project
sparks(a)fedoraproject.org - sparks(a)redhat.com
097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAEBCgAGBQJUhxgPAAoJEB/kgVGp2CYvR7EL/R9U/mTaq+/4mGOaopZWiihV
+LusWiw4GguG7x4zGXtHe6FQGsspMbniuj7nmW5n+PxQyn4Du3Zk90jtQ4RwKUU5
53OCxQvKtOBZveWmHATXSEY/JNv8eCyuVkjO3Sc4ZQDewcpMGLAt5D50dU6vcOVo
a74E7t2TwpLUgzm4QwfFWMbVZtI8sdTc+VnBLZL+GF/ZAkHd0eiyQtPcgvebaRY9
68F3MjC3IwyVaQTa7LG1bhmMX/t96TinAVDKG45aS5wfkNnYFFoYVUuvxTtBvWS7
ZT3JZ8BjjkAsCh03p9JangGsWSEeN2AZTZ+qEPt6Z4l4qy88yrbE8ZPXv4KMEqTt
oXFZHOZg0X5/OulPe/Q3rsohe7hpMLdBmhvjfNkEnj7tx8R/VhUBwqt4I/AYhODQ
CX0FgDRf9Qa9AMrmfP+/KUvuTNC0pylVu0IegRmyizlvmqj1ltEuXauxwJsnLFKN
I5v/Ms4m7u2+WJloza2gUfzP+Zcup2JPbH6D7OVWJg==
=w7aN
-----END PGP SIGNATURE-----
9:51 a.m.
On 9 December 2014 at 08:41, Eric H. Christensen <sparks(a)fedoraproject.org>
wrote:
--
Stephen J Smoogen.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Tue, Dec 09, 2014 at 03:02:45PM +0100, Jan Rusnacko wrote:
> Hey guys,
>
> given that there is quite heated discussion about open by default
firewall, is this something we want to contribute to (as a team) ? Do you
think we a) can and b) should come with a statement and join the discussion
?
Moving this to the general security list...
Did FESCo really approve this? I can't imagine someone actually approving
such a dumb request.
It would help if people slowed down and quit using pronouns.
What exactly is this?
What was the request you are thinking about and what is the request the
other person is talking about...
if you can get those explained by both parties and agreed on.. then we can
move to if this is 'dumb' or not. Until then it is heated emotion clouding
any useful discussion or debate. [Firing torpedoes without co-ordinates
sounds great in movies.. but not in real life.]
1:01 p.m.
On 12/09/2014 04:41 PM, Eric H. Christensen wrote:
On Tue, Dec 09, 2014 at 03:02:45PM +0100, Jan Rusnacko wrote:
> Hey guys,
> given that there is quite heated discussion about open by default firewall, is this
something we want to contribute to (as a team) ? Do you think we a) can and b) should come
with a statement and join the discussion ?
Moving this to the general security list...
Did FESCo really approve this? I can't imagine someone actually approving such a
dumb request.
No idea. Despite that, it shipped apparently, so can we actually do
something about it, or is this a lost cause for F21 ?
--
Jan Rusnacko, Fedora Security Team
1:19 p.m.
On 2014-12-09 13:01, Jan Rusnacko wrote:
On 12/09/2014 04:41 PM, Eric H. Christensen wrote:
> On Tue, Dec 09, 2014 at 03:02:45PM +0100, Jan Rusnacko wrote:
>> Hey guys,
>
>> given that there is quite heated discussion about open by default
>> firewall, is this something we want to contribute to (as a team) ? Do
>> you think we a) can and b) should come with a statement and join the
>> discussion ?
>
> Moving this to the general security list...
>
> Did FESCo really approve this? I can't imagine someone actually
> approving such a dumb request.
No idea. Despite that, it shipped apparently, so can we actually do
something about it, or is this a lost cause for F21 ?
Seriously! If that's the default on F21, I guess the only thing that can
be done now is to raise hell and push for the next system update to fix
it.
1:26 p.m.
Am 09.12.2014 um 20:19 schrieb finid(a)vivaldi.net:
On 2014-12-09 13:01, Jan Rusnacko wrote:
> On 12/09/2014 04:41 PM, Eric H. Christensen wrote:
>> On Tue, Dec 09, 2014 at 03:02:45PM +0100, Jan Rusnacko wrote:
>>> Hey guys,
>>
>>> given that there is quite heated discussion about open by default
>>> firewall, is this something we want to contribute to (as a team) ?
>>> Do you think we a) can and b) should come with a statement and join
>>> the discussion ?
>>
>> Moving this to the general security list...
>>
>> Did FESCo really approve this? I can't imagine someone actually
>> approving such a dumb request.
> No idea. Despite that, it shipped apparently, so can we actually do
> something about it, or is this a lost cause for F21 ?
Seriously! If that's the default on F21, I guess the only thing that can
be done now is to raise hell and push for the next system update to fix it
thank you!
i can not eat enough to puke the appropriate amount for such horrible
decisions and as far as i can see the only hard defender comes again and
again with "rygel" as usecase to defened that decisison
are we now at a point where a random software dicatets security baselines?
did nobody leanr anything of the past at least 5 years?
i want my Windows back, at least it asked before it opens a port
*yes* i can fix that, i don't need firewalld as well as the workstation
spin *but* i am affected by *nay* hacked and compromised machine on this
damned planet starting to shoot on *my* infrastcuture and burry me in
useless noise masking the real treats
1:33 p.m.
On 2014-12-09 13:26, Reindl Harald wrote:
Am 09.12.2014 um 20:19 schrieb finid(a)vivaldi.net:
> On 2014-12-09 13:01, Jan Rusnacko wrote:
>> On 12/09/2014 04:41 PM, Eric H. Christensen wrote:
>>> On Tue, Dec 09, 2014 at 03:02:45PM +0100, Jan Rusnacko wrote:
>>>> Hey guys,
>>>
>>>> given that there is quite heated discussion about open by default
>>>> firewall, is this something we want to contribute to (as a team) ?
>>>> Do you think we a) can and b) should come with a statement and join
>>>> the discussion ?
>>>
>>> Moving this to the general security list...
>>>
>>> Did FESCo really approve this? I can't imagine someone actually
>>> approving such a dumb request.
>> No idea. Despite that, it shipped apparently, so can we actually do
>> something about it, or is this a lost cause for F21 ?
>
> Seriously! If that's the default on F21, I guess the only thing that
> can
> be done now is to raise hell and push for the next system update to
> fix it
thank you!
i can not eat enough to puke the appropriate amount for such horrible
decisions and as far as i can see the only hard defender comes again
and again with "rygel" as usecase to defened that decisison
are we now at a point where a random software dicatets security
baselines?
did nobody leanr anything of the past at least 5 years?
i want my Windows back, at least it asked before it opens a port
*yes* i can fix that, i don't need firewalld as well as the
workstation spin *but* i am affected by *nay* hacked and compromised
machine on this damned planet starting to shoot on *my* infrastcuture
and burry me in useless noise masking the real treats
This is a well-known weakness of democracy.
One would only expect that anybody making a security recommendation
knows what they are talking about. Even more importantly, the person in
a position to accept such recommendations should also know the
consequences of what they are about to unleash on the rest of us.
Who should we be yelling at to get this fixed?
--
finid
2:31 p.m.
On Tue, 09 Dec 2014 13:33:45 -0600
finid(a)vivaldi.net wrote:
Who should we be yelling at to get this fixed?
You shouldn't be yelling at anyone, but make a reasonable proposal that
can address the perceived security issue as well as the usability issue.
Make no mistake, I do not like this situation, and I would prefer a
better default, but yelling at people will yield exactly 0 results.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
3424
days inactive
3424
days old
security-team@lists.fedoraproject.org
13 comments
10 participants
participants (10)
-
David Cafaro -
Eric Christensen -
finid@vivaldi.net -
Francisco Alonso -
Jan Rusnacko -
Jan Rusnacko -
joat -
Reindl Harald -
Simo Sorce -
Stephen John Smoogen