F21 System Wide Change: Workstation: Disable firewall

Reindl Harald h.reindl at thelounge.net
Tue Apr 15 09:18:06 UTC 2014



Am 15.04.2014 11:01, schrieb Jaroslav Reznik:
> = Proposed System Wide Change: Workstation: Disable firewall = 
> https://fedoraproject.org/wiki/Changes/Workstation_Disable_Firewall
> 
> Change owner(s): Matthias Clasen <mclasen at redhat.com>
> 
> The firewalld service will not be enabled by default in the workstation 
> product. 
> 
> == Detailed Description ==
> The current level of integration into the desktop and applications does not 
> justify enabling the firewalld service by default. Additionally, the set of 
> zones that we currently expose is excessive and not user-friendly. Therefore, 
> we will disable the firewall service while we are working on a more user-
> friendly way to deal with network-related privacy issues.
> 
> It will of course still be possible to enable the firewall manually. 
> 
> == Scope ==
> * Proposal owners/Other developers: Add a Workstation-specific service 
> configuration (preset ?) to the firewalld package that disables firewalld for 
> the Workstation product 
> * Release engineering: No action required 
> * Policies and guidelines: No action required 

>> User Experience
>> Applications that are using sharing protocols such as DAAP or
>> UPnP will work out of the box, without the need to tweak or
>> disable the firewall service

seriously going the Apple way and back to where WiNXP before SP3 was?
users running applications which opening a high port in the background
like license checks and so on (as example ZendStudio) will be really
thankful that as default these ports are open on the WAN

honestly whoever proposes such a change has to understand that these
days it is not uncommon to have diretly to the WAN exposed machines
with no safety NAT/router between (UMTS/3G sticks, untrusted WLAN)

independent of whatever product a new installed system has not
to open any port by default - anybody proposing the opposite
is careless and ignorant if it comes to security

do "we" really want to go the way of dangerous defaults without
at least two buttons "secure defaults" and "i don't care" due
the installation?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140415/c218b745/attachment.sig>


More information about the devel mailing list