"Workstation" Product defaults to wide-open firewall

Reindl Harald h.reindl at thelounge.net
Mon Dec 8 09:50:09 UTC 2014 

Am 08.12.2014 um 10:34 schrieb Michael Spahn:
> We don't need open or preconfigured high ports.
>
> What we really need is a user notification with options to allow or
> deny like we do with SELinux.
>
> That would be a appropriate solution for a workstation.

* you know that
* i know that
* the same applies for many options chosen at install

sadly the goal is to ask users as less as possible because they may be 
overwhelmed - the attitude "a user is a user and don't need to know 
anything because all can work magically" is wrong, proven dangerous and 
leads in users don't know anything after not beeing bothered with anything

*finally* they are trained to *rely* in sane and secure defaults but 
everybody working in the IT knows that you enevr can't have both: secure 
by default and all magically working by default

people switched to Linux systems to go in the "secure by default" 
direction, sadly this times seems to be gone

> On 08.12.2014 10:29, Reindl Harald wrote:
>>
>> Am 08.12.2014 um 09:38 schrieb Paul Howarth:
>>> FWIW, this is mentioned in the release notes:
>>>
>>> http://docs.fedoraproject.org/en-US/Fedora/21/html/Release_Notes/sect-Products.html#Products-Workstation
>>>
> 2.3.3. Developer oriented firewall
>>>
>>> Developers often run test servers that run on high numbered
>>> ports, and interconnectivity with many modern consumer devices
>>> also requires these ports. The firewall in Fedora Workstation,
>>> firewalld, is configured to allow these things.
>>>
>>> Ports numbered under 1024, with the exceptions of sshd and
>>> clients for samba and DHCPv6, are blocked to prevent access to
>>> system services. Ports above 1024, used for user-initiated
>>> applications, are open by default.
>>
>> WTF - "developer oriented firewall" on workstation?
>>
>> i doubt it is smart that by default my running Eclipse accepts
>> incoming connections from the WAN (that i am paied for IT security
>> prevents that but only here)
>>
>> tcp        0      0 0.0.0.0:20080           0.0.0.0:* LISTEN
>> 8669/java
>>
>> tcp        0      0 0.0.0.0:10137           0.0.0.0:* LISTEN
>> 8669/java
>>
>> tcp        0      0 0.0.0.0:9000            0.0.0.0:* LISTEN
>> 8669/java
>>
>> udp        0      0 0.0.0.0:4321            0.0.0.0:*
>> 8669/java

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141208/51290710/attachment.sig>

More information about the devel mailing list