On 26 February 2014 12:31, Matthew Miller <mattdm@fedoraproject.org> wrote:

On Wed, Feb 26, 2014 at 12:39:31PM -0500, Simo Sorce wrote:
> Considering that the default policy on Fedora is not not start daemon
> automatically I am trying to understand why having a firewall configured
> by default is a good idea.

It is required by network policy at at least the two large universities
where I worked. Now, whether it provides defense-in-depth or just a checkbox
item is another issue, but it's nice to have Fedora default to being
compliant with typical requirements.

And pretty much every .gov and .mil site I know of and quite a few .com sites. Firewalls by default are so far into various configuration management requirements that you get to spend years trying to undo it and will only come out with needing a firewall and antivirus also.

As Reindl pointed out, we can't guarantee we have no services on by default.. all it takes is the law of unintended consquences before or after RC1 and you have something no one notices until after a release (or it is considered by the release group to not be a problem because we have a firewall already.).

Stephen J Smoogen.