F21 System Wide Change: Workstation: Disable firewall

Josh Bressers bressers at redhat.com
Tue Apr 15 15:33:57 UTC 2014


> 
> > users running applications which opening a high port in the background
> > like license checks and so on (as example ZendStudio) will be really
> > thankful that as default these ports are open on the WAN
> 
> Why does it listen on a port for license checks? It should just contact
> the server and not the other way.
> 
> Besides no one is stopping you from enabling the firewall.
> 

I'm going to jump into this thread here (I'm not purposely picking on this
singular point).

So when we have to think about security, the mindset needs to be "secure by
default". We shouldn't tell people they *can* enable the firewall, we tell
them the can disable it. While I will agree that in a perfect world we
shouldn't need a firewall, we don't live in a perfect world. Applications
have bugs, they have default logins, they listen on ports they shouldn't,
users have bad passwords, they have public shared folders, the list can go
on for a very very long time. A firewall is an easy win here.

Fedora needs to keep in mind is the safety of our users. We've lived up to
this point with a firewall enabled. The solution is to fix the firewall,
not disable it. If we just disable the firewall, what is our incentive to
fix it?

Please don't disable the firewall, it's almost certainly not the right
decision, and I'm pretty sure we'll end up wishing we'd not disabled it
sooner or later.

Thanks.

-- 
Josh Bressers / Red Hat Product Security Team


More information about the devel mailing list