F21 System Wide Change: Workstation: Disable firewall
mitr at volny.cz
Thu Apr 17 21:42:30 UTC 2014
2014-04-16 14:28 GMT+02:00 Josh Boyer <jwboyer at fedoraproject.org>:
> For a quick summary:
> 1) With a firewall enabled, network services don't work without manual
To be perfectly clear, vast majority of network applications work perfectly
fine. Network *servers* need manual intervention.
2) With firewalld active, any privileged application can open a port
> in the firewall (and most will be privileged because they will be
> packaged that way.)
No; most applications are not packaged in any way to get extra privilege to
manage a firewall, and they *shouldn't*; applications poking holes in a
firewall for themselves is pointless cargo-cult nonsense.
Some *user accounts* (members of wheel) are set up to be sufficiently
privileged/root-equivalent so that they can open a port, but they really
*are* root-equivalent so the specifics of what they can do to the firewall
are not much relevant... at that point you really either trust all software
you run, or not.
There *could* be applications specifically dexigned to open a port in the
firewall even for unprivileged users (e.g. by having a separate privileged
helper talk to firewalld), I don't think there actually are any.
3) With no firewall enabled and no network services started, there is
> no security issue because there are no open ports.
There still are all the security issues with outgoing communication; in
particular, the browser does matter (much more than say portmap) and the
firewall cannot protect it.
4) With no firewall but active network services, you have open ports
> just as you would in the firewalld or manual intervention firewall
No because 2) is false... or yes for the wheel-member users.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the devel