F21 System Wide Change: Workstation: Disable firewall
Miloslav Trmač
mitr at volny.cz
Thu Apr 17 21:14:53 UTC 2014
Hello,
Just some clarifications so that we are all on the same page; those don't
significantly affect the larger discussion though...
2014-04-15 17:40 GMT+02:00 Andrew Lutomirski <luto at mit.edu>:
> Can someone explain what threat is effectively mitigated by a firewall
> on a workstation machine? Here are some bad answers:
>
<snip>
> - WebRTC, VOIP, etc. issues? These use NAT traversal techniques that
> are specifically designed to prevent your firewall from operating as
> intended.
>
That's imprecise; NAT traversal techniques are designed to allow a
*specific* counterparty through the firewall, not everyone on the Internet
like disabling the firewall would do.
- DLNA / Chromecast / whatever: wouldn't it be a lot more sensible
> for these things to be off until specifically requested?
That would be about equivalent to controlling them only via a firewall.
> Who actually
> uses a so-called "zone" UI correctly to configure them?
"Who actually uses any other UI correctly to configure sharing
zones?"—nobody because there apparently isn't any. Firewalld has a zone
implementation that can be improved upon.
> How about
> having an API where things like DLNA can simply not run until you're
> connected to your home network?
>
Firewalld has a zone implementation that can be improved upon.
Also, having a firewall on exposes you to a huge attack surface in
> iptables, and it doesn't protect against attacks targeting the
> kernel's IP stack.
>
*Nothing* will ever protect you against attacks targetting the kernel's IP
sack, that's a strawman. And the entire premise of a firewall is that the
attack surface of the firewall (iptables in this case) is smaller than the
attack premise of applications behind; intuitively it's very likely to be
true, and AFAICT it's also been true historically.
Mirek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140417/2aa2c372/attachment.html>
More information about the devel
mailing list