F21 System Wide Change: Workstation: Disable firewall

Miloslav Trma─Ź mitr at volny.cz
Thu Apr 17 21:42:30 UTC 2014


Hello,
2014-04-16 14:28 GMT+02:00 Josh Boyer <jwboyer at fedoraproject.org>:

> For a quick summary:
>
> 1) With a firewall enabled, network services don't work without manual
> intervention.
>

To be perfectly clear, vast majority of network applications work perfectly
fine.  Network *servers* need manual intervention.

2) With firewalld active, any privileged application can open a port
> in the firewall (and most will be privileged because they will be
> packaged that way.)
>

No; most applications are not packaged in any way to get extra privilege to
manage a firewall, and they *shouldn't*; applications poking holes in a
firewall for themselves is pointless cargo-cult nonsense.

Some *user accounts* (members of wheel) are set up to be sufficiently
privileged/root-equivalent so that they can open a port, but they really
*are* root-equivalent so the specifics of what they can do to the firewall
are not much relevant... at that point you really either trust all software
you run, or not.

There *could* be applications specifically dexigned to open a port in the
firewall even for unprivileged users (e.g. by having a separate privileged
helper talk to firewalld), I don't think there actually are any.

3) With no firewall enabled and no network services started, there is
> no security issue because there are no open ports.
>

There still are all the security issues with outgoing communication; in
particular, the browser does matter (much more than say portmap) and the
firewall cannot protect it.

4) With no firewall but active network services, you have open ports
> just as you would in the firewalld or manual intervention firewall
> case
>

No because 2) is false... or yes for the wheel-member users.
    Mirek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140417/d92a9389/attachment.html>


More information about the devel mailing list