F21 System Wide Change: Workstation: Disable firewall

Reindl Harald h.reindl at thelounge.net
Tue Apr 15 16:44:37 UTC 2014 


Am 15.04.2014 17:40, schrieb Andrew Lutomirski:
> On Tue, Apr 15, 2014 at 7:42 AM, Reindl Harald <h.reindl at thelounge.net> wrote:

>> that is pretty easy - defaults have to be closed anything and the user
>> have to make a choice for, otherwise if there are cirtical security
>> updates after a release you have *exactly* the same as WinXP SP2
> 
> WinXP SP2 needed a firewall because MS didn't want to close ports 139
> and 445 for real.  

because it is used for filesharing - period

> So instead they hacked it up with a firewall.  This
> meant that, if you had the firewall blocking those ports, you were
> okay, but if they were open (e.g. because you were at home), you were
> screwed.
> 
> This is *not* a good thing.

and the same happens with the Fedora Workstation argumentation
for whatever service

> Can someone explain what threat is effectively mitigated by a firewall
> on a workstation machine?  Here are some bad answers:
> 
>  - Being pwned via MS's notoriously insecure SMB stack?  Not actually
> a problem for Fedora.

stop that argumentation

you *never* can prove that for a predictable future
you *never* can prove that now

why?

* because you don't know what the user is running
* you don't know about security bugs now or in the furture


>  - DLNA / Chromecast / whatever: wouldn't it be a lot more sensible
> for these things to be off until specifically requested?

yes

but you can't relie on that if we talk about security


> How about having an API where things like DLNA can simply 
> not run until you're connected to your home network?

you can prove that this will always happen the right way?
you can implement software *for sure* knowing the fact
what my home network is? if you can do that you get rich!

> Also, having a firewall on exposes you to a huge attack surface in
> iptables, and it doesn't protect against attacks targeting the
> kernel's IP stack

fine - and because you can't reach 100% security you disable
an important security layer? well, than let us remove any
security barrier and give up because you will never reach
the 100% - not now, not tomorrow and not in 100 years

> I'm all for "secure by default", but I'm not at all convinced that
> current desktop firewalls add any real security

there is no "real security" on that planet
everybody working in the security business will explain that to you

you can refuse and ignore the facts, but they are still facts

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140415/75539932/attachment.sig>

More information about the devel mailing list