F21 System Wide Change: Workstation: Disable firewall

Reindl Harald h.reindl at thelounge.net
Tue Apr 15 09:40:20 UTC 2014 

Am 15.04.2014 11:32, schrieb drago01:
> On Tue, Apr 15, 2014 at 11:18 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
>>>> User Experience
>>>> Applications that are using sharing protocols such as DAAP or
>>>> UPnP will work out of the box, without the need to tweak or
>>>> disable the firewall service
>>
>> seriously going the Apple way and back to where WiNXP before SP3 was?
> 
> strawman

no it's a fact, before SP3 WinXP had no firewall and MS learned

>> users running applications which opening a high port in the background
>> like license checks and so on (as example ZendStudio) will be really
>> thankful that as default these ports are open on the WAN
> 
> Why does it listen on a port for license checks? It should just
> contact the server and not the other way.

it's hardly your business nor mine, fact is that you as os-vendor
can not know what application is opening whatever ports and thats
why you have to ship secure defaults

> Besides no one is stopping you from enabling the firewall

did you really not learn anything from the past 10 years like
new Windows setups where infected before you even had the
chance to install the security updates or enable a firewall?

it is not a point of *what i can do and do*
it is a point what the ordinary 08/15 user does which assumes
to have a by default secure system after install

>> honestly whoever proposes such a change has to understand that these
>> days it is not uncommon to have diretly to the WAN exposed machines
>> with no safety NAT/router between (UMTS/3G sticks, untrusted WLAN)
>> independent of whatever product a new installed system has not
>> to open any port by default
> 
> I agree to that but the point is "open by default". But if the user
> chooses to open it it share a file or whatever it should "just work".
> 
>> - anybody proposing the opposite
>> is careless and ignorant if it comes to security
> 
>> do "we" really want to go the way of dangerous defaults without
> 
> ... "dangerous" ?

allow any random application to open a unprivlieged
port which is reachable from outside is dangerous

> So install the workstation package set. Boot it up. Disable the firewall.
> Which kind of vulnerabilities are able to find? Which ports are
> accessible? What can you do with them?

*we talk about a operating system*

there is installed software later
i do not know and you do not know what is running on the users machine

>> at least two buttons "secure defaults" and "i don't care" due
>> the installation?
> 
> No that's dumb

dumb is "we can't handle security currently in a default install and
so we disable it completly" with other words like "we will disable
the firewall service while we are working on a more user-friendly way
to deal with network-related privacy issues"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140415/dc9689c5/attachment-0001.sig>

More information about the devel mailing list