F21 System Wide Change: Workstation: Disable firewall

Christopher ctubbsii at apache.org
Tue Apr 15 16:04:49 UTC 2014 

On Tue, Apr 15, 2014 at 11:40 AM, Andrew Lutomirski <luto at mit.edu> wrote:
> On Tue, Apr 15, 2014 at 7:42 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
>>
>> Am 15.04.2014 16:28, schrieb Christian Schaller:
>>
>>> There was a long thread about this on the desktop mailing list, and I was
>>> not in the 'disable the firewall' camp in that discussion, but nobody in
>>> that thread or here have articulated how the firewall exactly enhance security
>>> in the situation where we at the same time need to allow each user to have any
>>> port they desire opened for traffic to make sure things like DLNA or Chromecast
>>> works.
>>
>> that is pretty easy - defaults have to be closed anything and the user
>> have to make a choice for, otherwise if there are cirtical security
>> updates after a release you have *exactly* the same as WinXP SP2
>
> WinXP SP2 needed a firewall because MS didn't want to close ports 139
> and 445 for real.  So instead they hacked it up with a firewall.  This
> meant that, if you had the firewall blocking those ports, you were
> okay, but if they were open (e.g. because you were at home), you were
> screwed.
>
> This is *not* a good thing.
>
> Can someone explain what threat is effectively mitigated by a firewall
> on a workstation machine?  Here are some bad answers:
>
>  - Being pwned via MS's notoriously insecure SMB stack?  Not actually
> a problem for Fedora.
>
>  - WebRTC, VOIP, etc. issues?  These use NAT traversal techniques that
> are specifically designed to prevent your firewall from operating as
> intended.
>
>  - DLNA / Chromecast / whatever: wouldn't it be a lot more sensible
> for these things to be off until specifically requested?  Who actually
> uses a so-called "zone" UI correctly to configure them?  How about
> having an API where things like DLNA can simply not run until you're
> connected to your home network?
>
> Also, having a firewall on exposes you to a huge attack surface in
> iptables, and it doesn't protect against attacks targeting the
> kernel's IP stack.
>
> I'm all for "secure by default", but I'm not at all convinced that
> current desktop firewalls add any real security.

Ideally, users would have complete knowledge of the behavior of every
piece of software in their system that utilizes the network, in which
case, they could very easily get by without a firewall. However, that
is not a reasonable expectation. A firewall protects users with
incomplete knowledge of their software.

Example: user installs software X... but oops, they didn't realize it
was going to listen on port Y.... but that's okay, because no firewall
rule has been enabled to allow traffic on port Y, so the user is
secure.

Even worse: user installs software X, but which has no network
features so the user feels safe, but oops, it depends on system
service Y, which does open network ports, was previously disabled, but
is now turned on by software X. Firewalls protect against this sort of
incomplete user knowledge. What if software Y only enables the network
periodically, to perform some maintenance function? Even a pedantic
user checking netstat isn't necessarily going to notice network
services listening on ports periodically.

Then, of course, there's separation of responsibilities. A network
admin at a company might care about firewall configuration, but
permits actual workstation user might just run/install whatever
software they like.

I'm a bit surprised that a case must be made to demonstrate that
firewalls provide real security, in 2014, but hopefully these examples
provide some demonstration that they do add real security. (Note, I
realize that in each of these cases, a firewall could be turned on
after the fact. These examples are to show the value of firewalls,
which is being questioned, not the value of having them turned on by
default. That's a different argument.)

>
> --Andy
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

More information about the devel mailing list