F21 System Wide Change: Workstation: Disable firewall

Stephen Gallagher sgallagh at redhat.com
Tue Apr 22 11:40:05 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/22/2014 05:43 AM, Christian Schaller wrote:
> 
> 
> 
> 
> ----- Original Message -----
>> From: "Thomas Woerner" <twoerner at redhat.com> To:
>> devel at lists.fedoraproject.org Sent: Tuesday, April 22, 2014
>> 11:23:46 AM Subject: Re: F21 System Wide Change: Workstation:
>> Disable firewall
>> 
>> On 04/21/2014 12:22 AM, drago01 wrote:
>>> On Mon, Apr 21, 2014 at 12:02 AM, Reindl Harald
>>> <h.reindl at thelounge.net> wrote:
>>> 
>>>> * there are network services enabled by default
>>> 
>>> Again that's a bug and a viloation of the guidelines. Which
>>> services are you talking about? Please file bugs.
>>> 
>>>> * avahi is one of them
>>> 
>>> You keep listing this as an example but avahi is not only
>>> installed and enabled by default but also allowed configured to
>>> work in the default firewall setup since F18 [1] ...
>>> 
>>> So the current default firewall won't protect you against avahi
>>> flaws.
>>> 
>> This has been added only because of a FESCo decision:
>> 
>> https://fedoraproject.org/wiki/Features/AvahiDefaultOnDesktop
>> 
> 
> Thank you for digging that ticket up Thomas. I think that ticket
> mentions something maybe a bit overlooked in this thread so far,
> "Real world security". I recommend everyone following this thread
> to watch this video of a talk by Russ Doty from Red Hat at this 
> years DevConf in Brno.  His talk is about real world security,
> especially in the context of enterprise computing, but the issues
> he articulate forms the underlaying challenges of this thread too.
> 
> I think if everyone here see this talk we could hopefully move this
> thread into a more constructive format.


Since you missed the link: https://www.youtube.com/watch?v=jYGgVUYjXQ8

I too recommend that everyone gives it a look. It is very insightful
and helpful in understanding what people really do once this gets out
the door.

Major points:
1) People turn off security features that they can't easily figure out
how to tune.
2) "Hackers" are a significantly smaller security threat than managers
("I need it to work now, we can secure it later!")
3) Recovery and auditing are more important than prevention.

Those are some of the basics, but it *really* is worth taking the 40
minutes to watch the whole thing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlNWVRUACgkQeiVVYja6o6NLtACfchzhexg2gcT1q3oQLZXPsLmm
IjUAn0lnph51CGi7Xvmpf+nNBaqBRtSW
=VZ8i
-----END PGP SIGNATURE-----

More information about the devel mailing list