an that is why we need a firewall -> Re: When a yum update sets up an MTA ...

Reindl Harald h.reindl at thelounge.net
Mon Apr 28 17:13:05 UTC 2014



Am 28.04.2014 19:04, schrieb Miloslav Trmač:
> 2014-04-28 18:59 GMT+02:00 Reindl Harald <h.reindl at thelounge.net <mailto:h.reindl at thelounge.net>>:
> 
>     Am 28.04.2014 18:52, schrieb Miloslav Trmač:
>     > No no no no no.  If you want a firewall "integrated" /that/ way, you are really
>     > better of uninstalling it or opening it up; it serves no purpose.
> 
>     no, even if that way is completly wrong it's better than no firewall
>     as i have explained multiple times there may run software not from
>     the Fedora repos which opens ports unintentionally from the users
>     point of view and especially a user with no network expierience
>     will not realize that - and yes that software matters because
>     we are talking about a *operating system*
> 
> Well if the users' expectations were that the firewall doesn't "interfere" with Fedora applications, why would they
> expect it to "interfere" with non-Fedora applications?

do i really need to explain that?

you can make signed fedora packages trusted and allow them
at install or first start to interact with firewalld

you can't do that for http://www.zend.com/de/products/studio/downloads
you can't also explain zend they should not open ports with a IDE
you can't do the same for any other software manufacturer
you can#t do that even Fedora, see the thread-start for the sake of god

security don't work the way what people should do
security works the way "what could people do wrong"

>     the next thing is when it comes to malware opening ports
>     there are two types of malware:
> 
>     * privilege escalation (you have lost)
>     * crap try to open a unprivileged port with user permissions
> 
> The second case is a subset of the first one anyway :)

no - privilege escalation is meant as get root permissions

> And doesn't every malware know to make an _outgoing_ connection to an IRC server nowadays?  
> Stopping malware by blocking incoming connections is fairly illusory IMHO

i find it pervert that such basics need to be discussed

* you can't reahc 100% security, never, in no way
* you can only try to make it as tightas possible
* each of your protections will stop some bad cases
* enough of them with some luck the one user A, B, C would have hitted before updates

do you *really* not want to understand what people explaining?
http://www.zend.com/de/products/studio/downloads opens ports
to talk inside the LAN and prohibit starting the product on
two machines with the same licencse key

*YOU DO NOT WANT THAT PORTS OPEN ON THE INTERNET BECAUSE WRONG OS-DECISIONS*

and that is besides VMware the only software not coming via yum in my case
1 out of 2 commercial products should failry explain why nobody right in
his brain designs in 2014 a operating system with no packet filter at all

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140428/c8a4e12a/attachment.sig>


More information about the devel mailing list