an that is why we need a firewall -> Re: When a yum update sets up an MTA ...

Reindl Harald h.reindl at thelounge.net
Mon Apr 28 17:47:13 UTC 2014 


Am 28.04.2014 19:36, schrieb Miloslav Trmač:
> 2014-04-28 19:33 GMT+02:00 Reindl Harald <h.reindl at thelounge.net <mailto:h.reindl at thelounge.net>>:
> 
>     Am 28.04.2014 19:27, schrieb Miloslav Trmač:
>     > 2014-04-28 19:13 GMT+02:00 Reindl Harald:
>     >     you can make signed fedora packages trusted and allow them
>     >     at install or first start to interact with firewalld
>     >
>     > I can't; ptrace() doesn't make such a distinction.
> 
>     than that needs to be improved
> 
> We are working on improving it.  It will still take quite a lot of time I'm afraid.

so the status quo needs to be unchanged until then

>     > Still, the combined measures need to mitigate at least, say, 75% of cases,
>     > otherwise we're not really having enough impact
> 
>     in a perfect world yes, even more than 75%
> 
>     in reality: only *the one an donly* case which affects me untila update is released
>     we need the > 75% because we don't know what is needed when
>  
> Good point, the "new system needs to be safely updatable" is an important case to consider.  (It's also the easiest
> one to handle, by not having the service start, and testing for that.)

you can't do that
even if you could in theory it must not be the only safety net

you choose at installation software XYZ wich may listen on ports
that's the whole argumentation of dropping the firewall to make
these things working out-of-theb-box the easy way

there is a timewindow between installation and get the latest updates
well, you need the network to fetch that updates

and what is permanently ignored here and proves that the proposal
disable the firewall completly is a clueless ignoring reality
is that "i want saba to share files" *never ever* means "oh
and samba should be reachable from the internet"

in no case - independent of possible vulerabilities which needs to be
closed by fetch updates over the internet you want smaba be reachable
on the WAN and the one idiot out of a million which wants that don't
really so - he just don't know what he really wants

one of the goals of sane and secure OS defaults is to protect
users from themself

even if the only thing you reach is a timewindow from start to find out
how to disable the firewall until find how to do to think about that
idea and come to the conclusion do that unconditionally is a bad idea
you reached a lot -> a handful users not doing so

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140428/c7954026/attachment.sig>

More information about the devel mailing list