F21 System Wide Change: Workstation: Disable firewall

Andrew Lutomirski luto at mit.edu
Tue Apr 15 17:05:16 UTC 2014

On Tue, Apr 15, 2014 at 10:00 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
> Am 15.04.2014 18:51, schrieb Andrew Lutomirski:
>> On Tue, Apr 15, 2014 at 9:44 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
>>> Am 15.04.2014 17:40, schrieb Andrew Lutomirski:
>>>> On Tue, Apr 15, 2014 at 7:42 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
>>>> How about having an API where things like DLNA can simply
>>>> not run until you're connected to your home network?
>>> you can prove that this will always happen the right way?
>>> you can implement software *for sure* knowing the fact
>>> what my home network is? if you can do that you get rich!
>> Does the firewall really help?
> yes, because there is no single port reachable after the
> installation and you can at least install security updates
> released after the GA of the current Fedora setup until
> you have a port open

This is true even without the firewall.  I'd argue that one of the
Workstation release requirements should be that a default installation
opens no ports to the outside world.

>> Your already-known-to-be-malicious television can mess with
>> ARP or DHCP, intercept an HTTP request, and CSRF the crap
>> running on your computer.
> my television can do a CRSF?

If you browse to a page served by your television, it can certainly
send you a CSRF payload.  Whether or not it works depends on whether
any services running on your box are vulnerable.

> my television can send me a mail and click on a link there?


But it can certainly hijack any HTTP request you send and replace the contents.

> don't talk about things which are *obviously* out of your business
> http://en.wikipedia.org/wiki/Cross-site_request_forgery
> and no my television can do nothing because my television is blocked
> on any incoming port on my computer - guess by what: the firewall

Which doesn't matter *at all*, because it's attacking your *outgoing* traffic.

If you have a firewall between your television and the rest of your
network, you win.  But Fedora can't help you with that, no matter what
its default policy is.


More information about the devel mailing list