"Workstation" Product defaults to wide-open firewall

Kevin Kofler kevin.kofler at chello.at
Mon Dec 8 06:41:52 UTC 2014


I just happened to look at the firewalld default settings, and I was not 
amused when I noticed this:
>  <port protocol="udp" port="1025-65535"/>
>  <port protocol="tcp" port="1025-65535"/>
This "firewall" is a joke! ALL higher ports are wide open!

There had been a prior discussion on this list where they wanted to disable 
the firewall entirely. We told them that that's a horrible idea (which it 
is, of course!). But the result is that they implemented this "solution" 
which is almost entirely as bad, and which additionally gives users a false 
sense of security, because a "firewall" is "enabled" (for a very twisted 
definition of "enabled").

IMHO, this is a major security issue that MUST be fixed. It also shows what 
horribly bad an idea per-Product configuration is.

Yet another reason why you should NOT use "--product=workstation" to upgrade 
your F20 to F21 (ALWAYS use "--product=nonproduct"). Installing the 
"Workstation Product", or upgrading to it, will leave you with a totally 
insecure system.

        Kevin Kofler

More information about the devel mailing list