an that is why we need a firewall -> Re: When a yum update sets up an MTA ...

Reindl Harald h.reindl at thelounge.net
Mon Apr 28 16:59:03 UTC 2014


Am 28.04.2014 18:52, schrieb Miloslav Trmač:
> 2014-04-28 12:42 GMT+02:00 David Woodhouse <dwmw2 at infradead.org <mailto:dwmw2 at infradead.org>>:
> 
>     On Mon, 2014-04-21 at 09:42 +0200, Reindl Harald wrote:
>     > Am 21.04.2014 03:39, schrieb Lars Seipel:
>     > > Nicely aligning with the current firewall thread I noticed that one of
>     > > my machines was running the exim MTA for the last few days, dutifully
>     > > listening on all interfaces
>     >
>     > and now it is *proven for sure* that disable the firewall
>     > by default is the most dumb thing a distribution can do
> 
>     This doesn't make much sense to me.
> 
>     Take a look at the wording of the proposed change: "The current level of
>     integration into the desktop and applications does not justify enabling
>     the firewalld service by default."
> 
>     Now imagine the situation if we take the opposite approach — we *fix*
>     the integration, and leave it enabled by default.
> 
>     Fixing the integration means that installing packages which need to
>     listen on a network socket should Just Work™. That means they'll talk to
>     firewalld somehow, to enable their ports.
> 
> No no no no no.  If you want a firewall "integrated" /that/ way, you are really
> better of uninstalling it or opening it up; it serves no purpose.

no, even if that way is completly wrong it's better than no firewall
as i have explained multiple times there may run software not from
the Fedora repos which opens ports unintentionally from the users
point of view and especially a user with no network expierience
will not realize that - and yes that software matters because
we are talking about a *operating system*

the next thing is when it comes to malware opening ports
there are two types of malware:

* privilege escalation (you have lost)
* crap try to open a unprivileged port with user permissions

the second one has to be stopped and please don't come with "that
could be stopped with SElinux" -> layered security

you need to tealize security as a big picture with as much
defense layers as possible and whoever thinks "no, this
and that leayer is not needed because we have A, B, C" has
no clue about security at all and nothing learned in the last
few years from things which happened in the wild

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140428/53ba25bd/attachment.sig>


More information about the devel mailing list