and that is why we need a firewall -> Re: When a yum update sets up an MTA ...

Reindl Harald h.reindl at thelounge.net
Mon Apr 28 11:01:22 UTC 2014



Am 28.04.2014 12:42, schrieb David Woodhouse:
> On Mon, 2014-04-21 at 09:42 +0200, Reindl Harald wrote:
>>
>> Am 21.04.2014 03:39, schrieb Lars Seipel:
>>> Nicely aligning with the current firewall thread I noticed that one of
>>> my machines was running the exim MTA for the last few days, dutifully
>>> listening on all interfaces
>>
>> and now it is *proven for sure* that disable the firewall
>> by default is the most dumb thing a distribution can do
> 
> This doesn't make much sense to me

what exactly?

that open port 25 by a package error on the WAN is critical?
that open whatever port by a package error on the WAN is critical?

> Take a look at the wording of the proposed change: "The current level of
> integration into the desktop and applications does not justify enabling
> the firewalld service by default."

i know that wording

> Now imagine the situation if we take the opposite approach — we *fix*
> the integration, and leave it enabled by default.

yes

> Fixing the integration means that installing packages which need to
> listen on a network socket should Just Work™. That means they'll talk to
> firewalld somehow, to enable their ports.

yes but not *all ports* and not uncomprehensive at all

you really don't want to open SMB on the WAN because you
want to share a folder 	

> We need that, because from a usability point of view it just isn't
> acceptable to have things which *appear* to work when you test them from
> localhost, but silently fail when you connect from the outside. That's a
> really insidious failure mode which has bitten me a number of times when
> I've forgotten to turn off the misguided firewall on a newly-installed
> machine.

the user needs a way to decide where the port should be open

* local network
* wan
* only localhost

> So when it's all finished and working properly, the firewall doesn't
> really buy you anything in this case. A package which is set up to
> listen by default will still do that, and it'll still be a bug in the
> package in question.

*no not on the WAN*

what you really refuse to understand is the implication of disable the
firewall at all - frankly in the early KDE4 days there where ports
from KDE applications listening on 0.0.0.0 which where for sure never
intended to be reachable from the internet - yes that was all bugs

but realize that we can't pretend to live in a bugfree world

that would mean these ports below would be open to the internet - that's
just ZendStudio (not a fedora package) where due start it tries to check
if there is already a instance running on another computer with the
same serial, not you nor i have to justify that, that's real life as it is

if you don't care about such cases stop to pretend you are building
an operating system - on an operating system there is a world outside
the distributions repos

[root at rh:~]$ netstat -l | grep java
tcp        0      0 0.0.0.0:10137           0.0.0.0:*               LISTEN      15717/java
tcp        0      0 0.0.0.0:9000            0.0.0.0:*               LISTEN      15717/java
tcp        0      0 0.0.0.0:20080           0.0.0.0:*               LISTEN      15717/java
udp        0      0 0.0.0.0:4321            0.0.0.0:*                           15717/java

> You can make sure that only the MTA is listening on port
> 25 and not anything else

and even if - have a MTA reachable on the WAN after installing it
before you have configured it for proudction use if you even intend
to do that is the most possible dumb thing

that said from a professional mailserver admin!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140428/082e87ab/attachment.sig>


More information about the devel mailing list