F21 System Wide Change: Workstation: Disable firewall

Andrew Lutomirski luto at mit.edu
Tue Apr 15 15:40:28 UTC 2014


On Tue, Apr 15, 2014 at 7:42 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
>
> Am 15.04.2014 16:28, schrieb Christian Schaller:
>
>> There was a long thread about this on the desktop mailing list, and I was
>> not in the 'disable the firewall' camp in that discussion, but nobody in
>> that thread or here have articulated how the firewall exactly enhance security
>> in the situation where we at the same time need to allow each user to have any
>> port they desire opened for traffic to make sure things like DLNA or Chromecast
>> works.
>
> that is pretty easy - defaults have to be closed anything and the user
> have to make a choice for, otherwise if there are cirtical security
> updates after a release you have *exactly* the same as WinXP SP2

WinXP SP2 needed a firewall because MS didn't want to close ports 139
and 445 for real.  So instead they hacked it up with a firewall.  This
meant that, if you had the firewall blocking those ports, you were
okay, but if they were open (e.g. because you were at home), you were
screwed.

This is *not* a good thing.

Can someone explain what threat is effectively mitigated by a firewall
on a workstation machine?  Here are some bad answers:

 - Being pwned via MS's notoriously insecure SMB stack?  Not actually
a problem for Fedora.

 - WebRTC, VOIP, etc. issues?  These use NAT traversal techniques that
are specifically designed to prevent your firewall from operating as
intended.

 - DLNA / Chromecast / whatever: wouldn't it be a lot more sensible
for these things to be off until specifically requested?  Who actually
uses a so-called "zone" UI correctly to configure them?  How about
having an API where things like DLNA can simply not run until you're
connected to your home network?

Also, having a firewall on exposes you to a huge attack surface in
iptables, and it doesn't protect against attacks targeting the
kernel's IP stack.

I'm all for "secure by default", but I'm not at all convinced that
current desktop firewalls add any real security.

--Andy


More information about the devel mailing list