F21 System Wide Change: Workstation: Disable firewall

drago01 drago01 at gmail.com
Tue Apr 15 09:32:54 UTC 2014


On Tue, Apr 15, 2014 at 11:18 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
>
>
> Am 15.04.2014 11:01, schrieb Jaroslav Reznik:
>> = Proposed System Wide Change: Workstation: Disable firewall =
>> https://fedoraproject.org/wiki/Changes/Workstation_Disable_Firewall
>>
>> Change owner(s): Matthias Clasen <mclasen at redhat.com>
>>
>> The firewalld service will not be enabled by default in the workstation
>> product.
>>
>> == Detailed Description ==
>> The current level of integration into the desktop and applications does not
>> justify enabling the firewalld service by default. Additionally, the set of
>> zones that we currently expose is excessive and not user-friendly. Therefore,
>> we will disable the firewall service while we are working on a more user-
>> friendly way to deal with network-related privacy issues.
>>
>> It will of course still be possible to enable the firewall manually.
>>
>> == Scope ==
>> * Proposal owners/Other developers: Add a Workstation-specific service
>> configuration (preset ?) to the firewalld package that disables firewalld for
>> the Workstation product
>> * Release engineering: No action required
>> * Policies and guidelines: No action required
>
>>> User Experience
>>> Applications that are using sharing protocols such as DAAP or
>>> UPnP will work out of the box, without the need to tweak or
>>> disable the firewall service
>
> seriously going the Apple way and back to where WiNXP before SP3 was?

strawman.

> users running applications which opening a high port in the background
> like license checks and so on (as example ZendStudio) will be really
> thankful that as default these ports are open on the WAN

Why does it listen on a port for license checks? It should just
contact the server
and not the other way.

Besides no one is stopping you from enabling the firewall.

> honestly whoever proposes such a change has to understand that these
> days it is not uncommon to have diretly to the WAN exposed machines
> with no safety NAT/router between (UMTS/3G sticks, untrusted WLAN)
> independent of whatever product a new installed system has not
> to open any port by default

I agree to that but the point is "open by default". But if the user
chooses to open
it it share a file or whatever it should "just work".

>- anybody proposing the opposite
> is careless and ignorant if it comes to security

> do "we" really want to go the way of dangerous defaults without

... "dangerous" ?

So install the workstation package set. Boot it up. Disable the firewall.
Which kind of vulnerabilities are able to find? Which ports are
accessible? What can you do with them?

> at least two buttons "secure defaults" and "i don't care" due
> the installation?

No that's dumb.


More information about the devel mailing list