F21 System Wide Change: Workstation: Disable firewall

Reindl Harald h.reindl at thelounge.net
Tue Apr 15 18:00:53 UTC 2014 


Am 15.04.2014 19:05, schrieb Andrew Lutomirski:
> On Tue, Apr 15, 2014 at 10:00 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
>> Am 15.04.2014 18:51, schrieb Andrew Lutomirski:
>>> On Tue, Apr 15, 2014 at 9:44 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
>>>>
>>>>
>>>> Am 15.04.2014 17:40, schrieb Andrew Lutomirski:
>>>>> On Tue, Apr 15, 2014 at 7:42 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
>>>>
>>>>> How about having an API where things like DLNA can simply
>>>>> not run until you're connected to your home network?
>>>>
>>>> you can prove that this will always happen the right way?
>>>> you can implement software *for sure* knowing the fact
>>>> what my home network is? if you can do that you get rich!
>>>
>>> Does the firewall really help?
>>
>> yes, because there is no single port reachable after the
>> installation and you can at least install security updates
>> released after the GA of the current Fedora setup until
>> you have a port open
> 
> This is true even without the firewall.  I'd argue that one of the
> Workstation release requirements should be that a default installation
> opens no ports to the outside world

and i argue that this does *not* help in case of a later happening
bug after an update nor if you install any application later
opening ports not intended for the WAN and you are not aware of
the missing firewall because nobody right in his mind assumes
that in 2014 a operating system comes out with dsiabled packet
filters

what you propose is hope and pray
security don't work that way

security can only work if one single bug somewhere does not lead
to a disaster because nobody looked at the whole picture and
assumed all is working as intended

it is *proven* that this does not work and it is *really*
scary that we have to discuss that in the year 2014 and
especially one weak after Heartbleed

WTF do somebody proposing to disable the firewall imagine would have
happened if there has been a *highly secure application, allowing
connections only with a matching SSL cert and using OpenSSL would have
faced the public internet last week*

why do people not realize what *big difference* between opening that
port only *willingly* to the WAN because playing locally with that
application and have it open by default would have made?

and guess what: exactly the people with no clue about security and
how to take care are the ones *not able* to turn on shields because
they don't ask for it - if something don't work because the shields
these people asking usually or better leave the shields up

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140415/4ddfa601/attachment.sig>

More information about the devel mailing list