Firewall

[Stephen John Smoogen]

On Tue, Dec 7, 2010 at 09:24, Jesse Keating <jkeating at redhat.com> wrote:
> On 12/07/2010 08:03 AM, Richard W.M. Jones wrote:
>> There's also more to life than TCP ports.  UDP ports, ICMP, other
>> protocols, other unrecognized protocols, packets containing completely
>> random stuff ...  Having a firewall that lets through every TCP port
>> does still give you protection from this other stuff.
>
> This is starting to sound like more reasonable arguments than "ZOMG
> FIREWALL".  Thank you.  We should be sure to document these things in a
> page that explains why Fedora has a Firewall by default, and why the
> default configuration has been chosen.

My memory of it goes something like this (notting can clarify)

Tech Support A: We are having a lot of issues with broken in systems
from network services
Developer A: Well they need to turn them off then.
Developer B: Well that would turn off <fill in something important>
Developer C: Well we do have a firewall
Developer A: Firewalls are hard.. do you know how hard it would be to
come up with something that doesn't break everyone.
Developer B: Hmmm we will need a gui and a backstore and ...
Alan Cox: Oh I wrote this lokkit so Telsa could setup a firewall after
her box got dodgy at a conference. The tech support guys can give it
out to people to test.

Or something like that. I do remember a lot of over-engineering and
then a very simple it does this from Alan. And I remember a lot of
issues we were having with customers going away after having them run
it.

The main things that will need to be done is
a) make sure most services aren't listening to UDP, SNP, etc to the
outside world
b) make sure that you can trust the services that do listen.
c) expect a lot of blowback from outside of Fedora after release.

-- 
Stephen J Smoogen.
"The core skill of innovators is error recovery, not failure avoidance."
Randy Nelson, President of Pixar University.
"Let us be kind, one to another, for most of us are fighting a hard
battle." -- Ian MacLaren