"Workstation" Product defaults to wide-open firewall

Christopher ctubbsii-fedora at apache.org
Mon Dec 8 06:55:00 UTC 2014

I just verified that I have the same default configuration from a clean
install. Not good at all. I expected more.

Christopher L Tubbs II

On Mon, Dec 8, 2014 at 1:41 AM, Kevin Kofler <kevin.kofler at chello.at> wrote:

> Hi,
> I just happened to look at the firewalld default settings, and I was not
> amused when I noticed this:
> http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml
> >  <port protocol="udp" port="1025-65535"/>
> >  <port protocol="tcp" port="1025-65535"/>
> This "firewall" is a joke! ALL higher ports are wide open!
> There had been a prior discussion on this list where they wanted to disable
> the firewall entirely. We told them that that's a horrible idea (which it
> is, of course!). But the result is that they implemented this "solution"
> which is almost entirely as bad, and which additionally gives users a false
> sense of security, because a "firewall" is "enabled" (for a very twisted
> definition of "enabled").
> IMHO, this is a major security issue that MUST be fixed. It also shows what
> horribly bad an idea per-Product configuration is.
> Yet another reason why you should NOT use "--product=workstation" to
> upgrade
> your F20 to F21 (ALWAYS use "--product=nonproduct"). Installing the
> "Workstation Product", or upgrading to it, will leave you with a totally
> insecure system.
>         Kevin Kofler
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141208/4aab83ce/attachment.html>

More information about the devel mailing list