"Workstation" Product defaults to wide-open firewall

Ian Malone ibmalone at gmail.com
Mon Dec 8 08:57:43 UTC 2014

On 8 December 2014 at 08:38, Paul Howarth <paul at city-fan.org> wrote:
> On Mon, 08 Dec 2014 07:41:52 +0100
> Kevin Kofler <kevin.kofler at chello.at> wrote:
>> Hi,
>> I just happened to look at the firewalld default settings, and I was
>> not amused when I noticed this:
>> http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml
>> >  <port protocol="udp" port="1025-65535"/>
>> >  <port protocol="tcp" port="1025-65535"/>
>> This "firewall" is a joke! ALL higher ports are wide open!
>> There had been a prior discussion on this list where they wanted to
>> disable the firewall entirely. We told them that that's a horrible
>> idea (which it is, of course!). But the result is that they
>> implemented this "solution" which is almost entirely as bad, and
>> which additionally gives users a false sense of security, because a
>> "firewall" is "enabled" (for a very twisted definition of "enabled").
>> IMHO, this is a major security issue that MUST be fixed. It also
>> shows what horribly bad an idea per-Product configuration is.
>> Yet another reason why you should NOT use "--product=workstation" to
>> upgrade your F20 to F21 (ALWAYS use "--product=nonproduct").
>> Installing the "Workstation Product", or upgrading to it, will leave
>> you with a totally insecure system.
> FWIW, this is mentioned in the release notes:
> http://docs.fedoraproject.org/en-US/Fedora/21/html/Release_Notes/sect-Products.html#Products-Workstation
> 2.3.3. Developer oriented firewall
> Developers often run test servers that run on high numbered ports, and
> interconnectivity with many modern consumer devices also requires these
> ports. The firewall in Fedora Workstation, firewalld, is configured to
> allow these things.
> Ports numbered under 1024, with the exceptions of
> sshd and clients for samba and DHCPv6, are blocked to prevent access to
> system services. Ports above 1024, used for user-initiated
> applications, are open by default.

That's a rather confused explanation to me, developers are able to
adjust their firewalls or disable them for troubleshooting if they
wish. It then ropes in "interconnectivity with many modern consumer

Does feel rather like a fedora-no-longer-has-your-back moment.


More information about the devel mailing list