F21 System Wide Change: Workstation: Disable firewall

Reindl Harald h.reindl at thelounge.net
Sun Apr 20 23:14:34 UTC 2014 


Am 21.04.2014 00:59, schrieb drago01:
> On Mon, Apr 21, 2014 at 12:39 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
> 
>>> There have been other suggestions in this thread that are helpful like
>>> the network zones thing (but we still have too many zones) or enabling
>>> services should make them work i.e
>>> just enable the firewall rules.
>>
>> which make sense
> 
> Oh finally you seem to understand what this is all about (a few mails
> ago this was supposed to be "strongly prohibited" ...)

if we talk about security business it is still wrong but somehow
acceptable - the problem you refuse to understand is that install
and start a service does not mean it should be reachable from the
network without confirmation

if somebody installs httpd on his developer workstation it does
not mean he wants to open the service for any machine but localhost
as example - the opposite is true because due development it's
most likely unsecure whatever runs there

> Now please goolge for "Psychological Acceptability and Security" you
> will find tons of scientific papers (read them) explaining about why
> it is wrong to silently break stuff or ask "yes / no" question or
> arguing with "this is not a blackbox the user should learn" nonsense.

that's not nonsense - that's the truth
you can accept that or put your head in the sand

at the end of the day any user pulling a network cable into his
machine or connect to a open WLAN will sooner or later get
troubles - the question is not if, the only question is how
much time it takes

> There is difference between a software developer, a sysadmin and a
> user that simply wants to share his music with his family

and since you don't know who is on front of a new installed
machine the defaults needs to be secure

> The latter should not have to learn about computer security to do it

i doubt he will be thankful for sharing his music to the whole
internet by default after he get jailed

> while for the former it does not matter that much as you said because
> they ought to know what to do or where to get that information from.

but they may make decisions based on "this distribution has insane
and insecure defaults, better take a different one"

> As for filling bugs because its broken even if it is not (obviously)
> exploitable because security mechanisms (firewall, selinux, nx, ...)
> are in place does not mean that we should not fix them

surely we should fix them

but your "because security mechanisms (firewall)" is pervert in a thread
with the subject "disable firewall"

for me personally that all as most of other Fedora decisions don't matter
because i get paied for secure networks and invent network wide defaults
with no care what the distributions ones are - but that's not the typical
users and that is why i refuse to understand such insane proposals like
"we don't know how to handle usability and firewall and so we disable
the firewall"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140421/f96d1556/attachment-0001.sig>

More information about the devel mailing list