About F19 Firewall

Thu Sep 26 14:04:24 UTC 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Wed, Sep 25, 2013 at 08:42:38PM +0200, Björn Persson wrote:
> Eric H. Christensen wrote:
> >Authentication is based on WEP/WPA/WPA2 passphrase, possibly a MAC
> >address (BSSID), and 802.1 authentication.
> 
> There were no protests and no warnings. Obviously nothing tries to
> ensure that only authenticated networks are put in a trusted zone.

Just the user.  If the user doesn't trust the network then the user probably shouldn't mark it as "trusted".

> >This is wireless, however.  Hardline connections will always
> >be a bit more secure and the auto zone there will make more sense.
> 
> Given that many wireless home networks use WPA2 these days, but few if
> any wired home networks use 802.1X, it looks like with FirewallD wired
> connections may actually be *less* secure than wireless connections.

Not really.

> ... but any Ethernets they connect to will be
> treated as the home network, which many users probably don't realize.

I've not tested this completely so I'm not willing to make any assumptions.

One assumption that I will make is that the firewall is secondary to the protections offered by the software itself.  What are you trying to protect yourself from, exactly?  I don't think anyone is going to have a completely wide-open firewall at home and hope for protection when away.  If I were to make assumptions it would be that perhaps the user would want SSH connectivity at home but not while away.  So if port 22 is open on an outside network there is still the built-in security that comes from SSH that protects the system.

Before the implementation of firewalld iptables would have to be manually changed to secure this port.  If you didn't do so you were just as at risk as you would be if NetworkManager didn't put the correct zone on the network connection.

> This difference may be temporary though. Sooner or later ISPs will be
> forced to start providing IPv6 to customers, and then NAT will no longer
> function as a firewall. 

NAT was never really supposed to be a security feature.

> It remains to be seen how home networks will
> evolve then.

The evolution has already happened.  Notice firewalls on all the end points?

> ... blocking all incoming IPv6 traffic

IPv6 really isn't the problem.

> link-layer encryption like WPA2 won't protect anything anymore

What do you think WPA2 protects against?  It has never protected against anything but decoding of intercepted packets across the wireless link.  We use it for authentication but it isn't true authentication (WPA2 Enterprise could be considered authentication) in the sense of the word.

> ...and then
> protocols designed for an isolated friendly network will be equally
> insecure on both wired and wireless networks.

Then you probably shouldn't be using protocols designed for an isolated friendly network.  If you do then you probably deserve what happens to you as there is rarely such a thing as an "isolated friendly network".

> Sent from my computer.

Sent from someone else's computer.

- -- Eric

- --------------------------------------------------
Eric "Sparks" Christensen
Fedora Project

sparks at fedoraproject.org - sparks at redhat.com
097C 82C3 52DF C64A 50C2  E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQGcBAEBCgAGBQJSRD7LAAoJEB/kgVGp2CYvj80L/2hkEzDIahw+PI8hWWu1rjfO
qjjqDzQxIGP2BCK5/f16BzUr/7KrcrtTLcIB1/oEqsFsgwUG9wD4Iu1Pu4w6jXN0
4NVpbYdKbt8WafKzccWMuUxAanlDnwRaOa/rMd/tXvp96TahCe2jY7nsE0IVbdt1
qQwhGrZnLKIcRL7gy2F69o4esQcyfU62bxMg7KruIVaY0RXMiIIHF1lM8iDATLyy
yPhTZG67WRAEy7CjfhwPb6BkB653WdSS/L4JWCLk5YDcE18ylR+h3dRadrRe4O2a
nniMlSrq2aIYu21d5tZmJm0/w1mvAY6+TtiFy9Xsolz4FXYQJym/NaRmdhHrbrAP
XlVYkiuXrUsArMyZOT6S/RULMq+l1DjFkA1RoO1vHxQUBNOM4l3Oh4dT1N286aMP
ukzU7vZlvvXeyhhRaGoPeEuv283yzGXqwKoAaSDBk0OGb3yzYOtC+hAaRKedIlVY
8uh0M1/aqo0KV0Zyr2+oOSfdrgZrd7XR6/utHNpUWA==
=NBTm
-----END PGP SIGNATURE-----