"Workstation" Product defaults to wide-open firewall

Paul Howarth paul at city-fan.org
Mon Dec 8 08:38:03 UTC 2014

On Mon, 08 Dec 2014 07:41:52 +0100
Kevin Kofler <kevin.kofler at chello.at> wrote:

> Hi,
> I just happened to look at the firewalld default settings, and I was
> not amused when I noticed this:
> http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml
> >  <port protocol="udp" port="1025-65535"/>
> >  <port protocol="tcp" port="1025-65535"/>
> This "firewall" is a joke! ALL higher ports are wide open!
> There had been a prior discussion on this list where they wanted to
> disable the firewall entirely. We told them that that's a horrible
> idea (which it is, of course!). But the result is that they
> implemented this "solution" which is almost entirely as bad, and
> which additionally gives users a false sense of security, because a
> "firewall" is "enabled" (for a very twisted definition of "enabled").
> IMHO, this is a major security issue that MUST be fixed. It also
> shows what horribly bad an idea per-Product configuration is.
> Yet another reason why you should NOT use "--product=workstation" to
> upgrade your F20 to F21 (ALWAYS use "--product=nonproduct").
> Installing the "Workstation Product", or upgrading to it, will leave
> you with a totally insecure system.

FWIW, this is mentioned in the release notes:


2.3.3. Developer oriented firewall

Developers often run test servers that run on high numbered ports, and
interconnectivity with many modern consumer devices also requires these
ports. The firewall in Fedora Workstation, firewalld, is configured to
allow these things.

Ports numbered under 1024, with the exceptions of
sshd and clients for samba and DHCPv6, are blocked to prevent access to
system services. Ports above 1024, used for user-initiated
applications, are open by default. 


More information about the devel mailing list