F21 System Wide Change: Workstation: Disable firewall

Daniel J Walsh dwalsh at redhat.com
Thu Apr 17 16:10:34 UTC 2014


On 04/16/2014 09:32 AM, Simo Sorce wrote:
> On Wed, 2014-04-16 at 05:40 -0700, Daniel J Walsh wrote:
>> On 04/15/2014 09:31 AM, Simo Sorce wrote:
>>> On Tue, 2014-04-15 at 09:13 -0700, Andrew Lutomirski wrote:
>>>> I keep thinking that, if I had unlimited time, I'd write a totally
>>>> different kind of firewall.  It would allow some policy (userspace
>>>> daemon or rules loaded into the kernel) to determine when programs can
>>>> listen on what sockets and when connections can be accepted on those
>>>> sockets.  This avoids the attack surface of iptables, it will be
>>>> faster, it can cause programs to actually report errors if you want
>>>> them to, and it could be a lot easier to configure.
>>>>
>>>> Wouldn't it be great if, when you start some program that wants to
>>>> listen globally, your system could prompt you and ask whether it was
>>>> okay, even if that program didn't know about firewalld?
>>>>
>>> I think what you are describing could be probably realized with SELinux
>>> today, just with a special setroubleshoot frontend that catches the AVC
>>> when the service tries to listen and ask the user if he wants to allow
>>> it.
>>>
>>> However this would still not be completely sufficient as you completely
>>> lack any context about what network you are operating on.
>>>
>>> The firewall's purpose is to block access to local services on bad
>>> networks too, it is not a binary open/close equation when you have
>>> machines (laptops) that roam across a variety of networks.
>>>
>>> Simo.
>>>
>> Nothing worse then asking Users Security related questions about opening
>> firewall ports.
>> Users will just answer yes, whether or not they are being hacked.
>>
>> firefox wants to listen on port 9900 in order to see this page, OK?
>
> Which is not what I proposed Dan.
>
> I in fact said we should *NOT* ask per application.
>
> What we should ask is one single question, upon connecting to an unknown
> network: "Is this network trusted ?"
>
> If yes you open up to the local network. If no you keep ports not
> accessible on that network.
>
> We can hint that a cafe wifi is usually not trusted and users should say
> no, or perhaps we do not even ask and default to untrusted on open wifi
> networks, and only ask on secured networks (this would be my
> preference).
Didn't mean to accuse you of saying that.  I do like the idea of asking
if you are on a "trusted" network.
>> %99.999 will answer yes, and be aggravated.
>>
>> Setting up a rule that says app XYZ is allowed to open certain ports
>> would be a great step forward.  But there would need to be a provable
>> way to guarantee that only the XYZ application is able to open those
>> ports.  You could do this with SELinux, but we would need to transition
>> user apps to certain domains, but we would need to run users with a
>> confined domain, and stop disabling SELinux...
> I think we can do this in steps, I certainly agree with the long term
> goal.
>
> Simo.
>



More information about the devel mailing list