an that is why we need a firewall -> Re: When a yum update sets up an MTA ...

Reindl Harald h.reindl at
Mon Apr 28 17:13:05 UTC 2014

Am 28.04.2014 19:04, schrieb Miloslav Trmač:
> 2014-04-28 18:59 GMT+02:00 Reindl Harald <h.reindl at <mailto:h.reindl at>>:
>     Am 28.04.2014 18:52, schrieb Miloslav Trmač:
>     > No no no no no.  If you want a firewall "integrated" /that/ way, you are really
>     > better of uninstalling it or opening it up; it serves no purpose.
>     no, even if that way is completly wrong it's better than no firewall
>     as i have explained multiple times there may run software not from
>     the Fedora repos which opens ports unintentionally from the users
>     point of view and especially a user with no network expierience
>     will not realize that - and yes that software matters because
>     we are talking about a *operating system*
> Well if the users' expectations were that the firewall doesn't "interfere" with Fedora applications, why would they
> expect it to "interfere" with non-Fedora applications?

do i really need to explain that?

you can make signed fedora packages trusted and allow them
at install or first start to interact with firewalld

you can't do that for
you can't also explain zend they should not open ports with a IDE
you can't do the same for any other software manufacturer
you can#t do that even Fedora, see the thread-start for the sake of god

security don't work the way what people should do
security works the way "what could people do wrong"

>     the next thing is when it comes to malware opening ports
>     there are two types of malware:
>     * privilege escalation (you have lost)
>     * crap try to open a unprivileged port with user permissions
> The second case is a subset of the first one anyway :)

no - privilege escalation is meant as get root permissions

> And doesn't every malware know to make an _outgoing_ connection to an IRC server nowadays?  
> Stopping malware by blocking incoming connections is fairly illusory IMHO

i find it pervert that such basics need to be discussed

* you can't reahc 100% security, never, in no way
* you can only try to make it as tightas possible
* each of your protections will stop some bad cases
* enough of them with some luck the one user A, B, C would have hitted before updates

do you *really* not want to understand what people explaining? opens ports
to talk inside the LAN and prohibit starting the product on
two machines with the same licencse key


and that is besides VMware the only software not coming via yum in my case
1 out of 2 commercial products should failry explain why nobody right in
his brain designs in 2014 a operating system with no packet filter at all

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the devel mailing list