About F19 Firewall

Björn Persson bjorn at xn--rombobjrn-67a.se
Sat Sep 28 11:34:48 UTC 2013

Eric H. Christensen wrote:
>What are you trying to protect yourself from, exactly?

Me? Other than address translation (a necessary evil) I use packet
filters mostly to restrain crazy programs that open listening sockets
for unknown reasons even though I don't use them for any kind of
communication. There was for example some kind of Gnome daemon that
popped up and started listening on an RTSP port just because I was
playing music from the local disk through the local loudspeakers. Such
behaviour is equally crazy on all networks, so I don't need firewall
zones for that.

Better ask those who think they need "home" and "work" zones what
they're trying to achieve.

>> This difference may be temporary though. Sooner or later ISPs will be
>> forced to start providing IPv6 to customers, and then NAT will no
>> longer function as a firewall. 
>NAT was never really supposed to be a security feature.

That's not its primary purpose, no, but not having a public IP address
is in practice much like being behind a really zealous firewall that
only allows outgoing connections. People rely on that when they use
naïve protocols at home, for example unencrypted or passwordless file
and printer sharing protocols.

>IPv6 really isn't the problem.

I agree.

>> link-layer encryption like WPA2 won't protect anything anymore
>What do you think WPA2 protects against?  It has never protected
>against anything but decoding of intercepted packets across the
>wireless link.

As far as I know it's also supposed to prevent active attacks, not just
passive eavesdropping. The underlying assumption is that your local
wired network is protected by a firewall plus physical walls and locked
doors, and that you have something insecure on your network that needs
that protection. Then when you add a wireless link you have to prevent
others from connecting to it and attacking your insecure stuff. That's
what WPA2 is for.

But if your firewall is just a side effect of your NAT, and IPv6 makes
NAT obsolete, then your insecure stuff is no longer protected.

>> ...and then
>> protocols designed for an isolated friendly network will be equally
>> insecure on both wired and wireless networks.
>Then you probably shouldn't be using protocols designed for an
>isolated friendly network.  If you do then you probably deserve what
>happens to you as there is rarely such a thing as an "isolated
>friendly network".

And I don't use those protocols, but other people apparently do. Why
else would there be a need for WPA2 or firewall zones?

Björn Persson

Sent from my computer.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130928/3dd120b8/attachment.sig>

More information about the devel mailing list