F21 System Wide Change: Workstation: Disable firewall

Miloslav Trmač mitr at volny.cz
Thu Apr 17 21:25:56 UTC 2014

2014-04-15 18:13 GMT+02:00 Andrew Lutomirski <luto at mit.edu>:

> > Example: user installs software X... but oops, they didn't realize it
> > was going to listen on port Y.... but that's okay, because no firewall
> > rule has been enabled to allow traffic on port Y, so the user is
> > secure.
> This sounds like a problem that should be separately fixed.

Well, yes, but then *we really need to be 100% sure we have fixed it*.  See
also your own report that installing gnome-boxes pulls in running services
with open ports.

> With firewalls, a service, system or otherwise, can be in one of three
> states: a) listening w/ firewall open, b) listening w/ firewall
> closed, c) and not listening.
d) not listening, actively opening connections to the outside, and sending
users' private data over there, or receiving commands from there to send
arbitrary data.

Just so we are clear on the relative threat levels, malicious applications
(if you are lucky, "only collecting data for the purpose of advertising")
are so frequent nowadays that *they* are the primary threat of unwanted
network communication, perhaps comparable only to automated ssh password
guessing bots.  Linux has so far been "lucky" in not having enough
third-party applications for this to be a threat yet, but Workstation
intends that to change.  (And no, a firewall won't help you at all for d) ).

I keep thinking that, if I had unlimited time, I'd write a totally
> different kind of firewall.  It would allow some policy (userspace
> daemon or rules loaded into the kernel) to determine when programs can
> listen on what sockets and when connections can be accepted on those
> sockets.

Similarly, ports (what I assume you mean) are getting less and less
important nowadays.  So much happens multiplexed over HTTP, and there are
various "zero-config" browsing/advertising mechanisms that don't require
use of fixed ports, only the privilege to advertise a port through the
browsing mechanism.

> Wouldn't it be great if, when you start some program that wants to
> listen globally, your system could prompt you and ask whether it was
> okay, even if that program didn't know about firewalld?

In general (assuming "unknown software" and not just specific 3 services
that can be individually handled in control-center, or software
specifically adjusted by Fedora to know about firewalld), no.  I have no
idea what the program is going to send over that connection, so I don't
know how to answer, and the program can send the same data through an
outgoing connection without ever interacting with the restricted listening
functionality; I simply must trust the author of that program—or to prevent
the program from accessing my data at all, and then the answer doesn't
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140417/d3091d7d/attachment.html>

More information about the devel mailing list