F21 System Wide Change: Workstation: Disable firewall

Reindl Harald h.reindl at thelounge.net
Sun Apr 20 20:56:04 UTC 2014

Am 20.04.2014 22:44, schrieb drago01:
> On Sun, Apr 20, 2014 at 10:15 PM, Reindl Harald <h.reindl at thelounge.net> wrote:
>> Am 20.04.2014 20:19, schrieb drago01:
>>> On Sun, Apr 20, 2014 at 6:53 PM, Kevin Kofler <kevin.kofler at chello.at> wrote:
>>>> Christian Schaller wrote:
>>>>> where we at the same time need to allow each user to have any port they
>>>>> desire opened for traffic to make sure things like DLNA or Chromecast
>>>>> works.
>>>> Such things MUST NOT be enabled by default.
>>> No one suggested that. Currently the user enables them and they do not
>>> work until after he/she disables the firewall
>> wrong - until he *configures* the firewall
> If that knowledge is present sure

and disable it hence the knowledge is not there is the Apple way
do you really think the marekt share of linux will explode if
we provide unsecure defaults? i doubt

> If it isn't then either "this shit does not work" or the user will 
> somehow find out that it is caused by the firewall and try
> to disable it

or try to get the knowledge to configure it
in any case the user decides instead blame Fedora for the damaga
done with insecure defaults

>> to open the needed ports
>> if that can't be half-automated with confirmation in any case
>> even open the ports full automated should be strongly prohibited
> The user did chose to share data ... configure the firewall to allow
> it automatically
> should not be "strongly prohibited" because the user have chosen to
> share the data.
> Showing him information that the data would be shared to everyone on
> this network
> is fine but as soon as you go into implementation details and talk
> about ports you lost
> the user and he/she will just click "yes/ok/continue" ...

yes the user did click "share data"

and you really think he also meant "share data to the whole internet"?

>> because taking away the users control is *not* why Linux as
>> project was staretd
> Again strawman .. its not about taking control from the user (you
> still can control the firewall settings)

you refuse to understand security basics

after you booted the new installed machine and open ports of
possible vulnerable services which needs updatdes it is
*too late* to enable the firewall for preventing already
happened damaged

> but let the computer do work in an automated way for the user i.e "why
> computers have been created"

*that* is a strawman

some people think computer needs to be that easy to
handle like a microwave - but the same people refuse
to understand that a computer is way more complex

don't you think there is a reason for get a driver license
before you are allowed to enter a public street?

>> i doubt that *any* software on this planet needs the firewall to be
>> completly disbaled and if such crap was written because using random
>> ports for no good reason it has no existence authority
> No it does indeed not *need* to be completely disabled but apps should
> not open random ports without any reason to begin with
> (we should not ship those and we have a rule to not enable network
> facing services by default despite of the firewall)

but this damned proposal is about *completly disable it*

did you read the OP?
did you try to understand it?

in simple words it means "because we are currently unsure
how to provide secure defaults while not block enabled
services we give up and throw away security at all because
we prefer anything working out of the box without minimal
understanding of the user what he is doing over security"

than just install one of the already available by default
unsecure operating systems instead damage Linux and bring
it in the same bad shape - there are enough Linux users
which chosed the OS because it's by default configured in
a secure way and that is what users expect in 2014

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140420/32b16362/attachment.sig>

More information about the devel mailing list