F21 System Wide Change: Workstation: Disable firewall
Andrew Lutomirski
luto at mit.edu
Tue Apr 15 17:05:16 UTC 2014
On Tue, Apr 15, 2014 at 10:00 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
>
>
> Am 15.04.2014 18:51, schrieb Andrew Lutomirski:
>> On Tue, Apr 15, 2014 at 9:44 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
>>>
>>>
>>> Am 15.04.2014 17:40, schrieb Andrew Lutomirski:
>>>> On Tue, Apr 15, 2014 at 7:42 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
>>>
>>>
>>>> How about having an API where things like DLNA can simply
>>>> not run until you're connected to your home network?
>>>
>>> you can prove that this will always happen the right way?
>>> you can implement software *for sure* knowing the fact
>>> what my home network is? if you can do that you get rich!
>>
>> Does the firewall really help?
>
> yes, because there is no single port reachable after the
> installation and you can at least install security updates
> released after the GA of the current Fedora setup until
> you have a port open
This is true even without the firewall. I'd argue that one of the
Workstation release requirements should be that a default installation
opens no ports to the outside world.
>> Your already-known-to-be-malicious television can mess with
>> ARP or DHCP, intercept an HTTP request, and CSRF the crap
>> running on your computer.
>
> my television can do a CRSF?
If you browse to a page served by your television, it can certainly
send you a CSRF payload. Whether or not it works depends on whether
any services running on your box are vulnerable.
> my television can send me a mail and click on a link there?
Probably.
But it can certainly hijack any HTTP request you send and replace the contents.
>
> don't talk about things which are *obviously* out of your business
> http://en.wikipedia.org/wiki/Cross-site_request_forgery
>
> and no my television can do nothing because my television is blocked
> on any incoming port on my computer - guess by what: the firewall
Which doesn't matter *at all*, because it's attacking your *outgoing* traffic.
If you have a firewall between your television and the rest of your
network, you win. But Fedora can't help you with that, no matter what
its default policy is.
--Andy
More information about the devel
mailing list