F21 System Wide Change: Workstation: Disable firewall

Reindl Harald h.reindl at thelounge.net
Sun Apr 20 22:39:28 UTC 2014



Am 21.04.2014 00:22, schrieb drago01:
> On Mon, Apr 21, 2014 at 12:02 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
> 
>> * there are network services enabled by default
> 
> Again that's a bug and a viloation of the guidelines. Which services
> are you talking about?
> Please file bugs.

please stop to prove even more that you have no clue of security
a firewall and security layers are to prevent from *UNKNOWN* mistakes in the future
they are to prevent expose network services to the WAN which most likely are
intented for the local netwotk by the user (SMB and so on)

hope that the ISP is blocking incoming SMB connections from the WAN is not enough

* file bugs don't help in that context
* the damned ISO image don't get fixed
* even if it is replaced it takes way too long
* the already existing setups are insecure

"If you really know what you are doing you do *not* enable network
facing services without installing updates first" was honestly
enough to prove your missing understanding of the ordinary user
because the ordinary users install his OS and starts whatever
he wants to do with his computer - thinking that the first he
does before start network aware services is too seek for
security updates is laughable to say it in nice words

>> * avahi is one of them
> 
> You keep listing this as an example but avahi is not only installed
> and enabled by default
> but also allowed configured to work in the default firewall setup
> since F18 [1] ...

bad enough

> So the current default firewall won't protect you against avahi flaws.
> 
>> * you nor i can say for sure avahi never ever get a critical security update
> 
> See above.

see above

>> * you nor i can be sure that there is not another network-service is running
>> * even if it is not running by intention it may be running by mistake as default
>> * so after you installed a new system avahi is running and the firewall down
> 
> See above

there is nothing to read above

you don't understand what a "safe default" means
you even refuse try to understand it which is horrible in 2014

>> * how do you genius install the updates without a network
>> and to *not* have to consider what is safe and what you have to stop after
>> a fresh install before you can plug your machine to the network for install
>> security relevant updates a firewall has to be enabled by default
> 
> Again you
> 
> 1) assume that we enable random services by default and the firewall
> is the only thing that protects freshly installed systems
> 2) that given the user options that do not work and force him to learn
> about computer networks to do basic tasks is how things should work
> 
> both are false.

for you

not for people care about default security

> Sure disabling the firewall is not the only way to solve 2) but the
> "silently make things not work" i.e the status quo or "ask a user
> questions that he does not understand"
> are no solutions.

until you come up with better ones they are
disable the firewall is no solution

> There have been other suggestions in this thread that are helpful like
> the network zones thing (but we still have too many zones) or enabling
> services should make them work i.e
> just enable the firewall rules.

which make sense

your "if you are know what you are doing you don't" does not make sense
the user knowing whate he is doing don't need hand holding in any case

we are talking about terrible defaults

>> honestly it's good that you are out of this discussion because you seem
>> to not have you clue about security nor understand the implications of
>> "who knows hat he is doing and why the one who don't need sane defaults"
> 
> No the reason is simply that talking to you is very annoying

most of the time talking to people with a clue what they are talking about
is annoying - well, there are two choices. try to understand what they
are talking about or keep annoyed

> you resort to baseless attacks (like the this one) and strawmans.
> 
> 1: http://fedoraproject.org/wiki/Features/AvahiDefaultOnDesktop

well, maybe Avahi is a bad example because the major mistake in that
case already happened, but that's a weak excuse to make more wrong
decisions and throw the whole security of the distribution in a
default setup away

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140421/000ca519/attachment.sig>


More information about the devel mailing list