"Workstation" Product defaults to wide-open firewall
h.reindl at thelounge.net
Mon Dec 8 09:50:09 UTC 2014
Am 08.12.2014 um 10:34 schrieb Michael Spahn:
> We don't need open or preconfigured high ports.
> What we really need is a user notification with options to allow or
> deny like we do with SELinux.
> That would be a appropriate solution for a workstation.
* you know that
* i know that
* the same applies for many options chosen at install
sadly the goal is to ask users as less as possible because they may be
overwhelmed - the attitude "a user is a user and don't need to know
anything because all can work magically" is wrong, proven dangerous and
leads in users don't know anything after not beeing bothered with anything
*finally* they are trained to *rely* in sane and secure defaults but
everybody working in the IT knows that you enevr can't have both: secure
by default and all magically working by default
people switched to Linux systems to go in the "secure by default"
direction, sadly this times seems to be gone
> On 08.12.2014 10:29, Reindl Harald wrote:
>> Am 08.12.2014 um 09:38 schrieb Paul Howarth:
>>> FWIW, this is mentioned in the release notes:
> 2.3.3. Developer oriented firewall
>>> Developers often run test servers that run on high numbered
>>> ports, and interconnectivity with many modern consumer devices
>>> also requires these ports. The firewall in Fedora Workstation,
>>> firewalld, is configured to allow these things.
>>> Ports numbered under 1024, with the exceptions of sshd and
>>> clients for samba and DHCPv6, are blocked to prevent access to
>>> system services. Ports above 1024, used for user-initiated
>>> applications, are open by default.
>> WTF - "developer oriented firewall" on workstation?
>> i doubt it is smart that by default my running Eclipse accepts
>> incoming connections from the WAN (that i am paied for IT security
>> prevents that but only here)
>> tcp 0 0 0.0.0.0:20080 0.0.0.0:* LISTEN
>> tcp 0 0 0.0.0.0:10137 0.0.0.0:* LISTEN
>> tcp 0 0 0.0.0.0:9000 0.0.0.0:* LISTEN
>> udp 0 0 0.0.0.0:4321 0.0.0.0:*
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: OpenPGP digital signature
More information about the devel