"Workstation" Product defaults to wide-open firewall
h.reindl at thelounge.net
Mon Dec 8 12:09:17 UTC 2014
Am 08.12.2014 um 13:02 schrieb Aleksandar Kurtakov:
> ----- Original Message -----
>> From: "Reindl Harald" <h.reindl at thelounge.net>
>> To: devel at lists.fedoraproject.org
>> Sent: Monday, December 8, 2014 1:26:29 PM
>> Subject: Re: "Workstation" Product defaults to wide-open firewall
>> Am 08.12.2014 um 12:22 schrieb Bastien Nocera:
>>>> Am 08.12.2014 um 11:45 schrieb Bastien Nocera:
>>>>>> Well, I'll understand these aspects.
>>>>>> But when I think about Linux, especially about Fedora, I'm thinking
>>>>>> about the freedom to make decisions. This means to me, to customize
>>>>>> and take advantage of my computer and in this case my operating system.
>>>>> You're free to select another firewall zone
>>>> so why do you not make secure defaults and say "You're free to select
>>>> another (more unsecure) firewall zone"?
>>> 1) It is secure enough and Eclipse listening to a port by default is a bug
>>> (and I have the firewall specialists at Red Hat/Fedora to back me up)
>>> 2) Good defaults
>> again: the *purpose* of a Firewall is to protect from application bugs
>> or unintentional user faults - frankly the early KDE4 setups in 2008 had
>> a ton of 0.0.0.0 listenining high ports, that where indeed a bug and
>> hence a firewall to protect the user against such bugs
>> it is not a bug that "ZendStudio" is listening on a high UDP port for
>> license verification (only one instance in the same network via broadcasts)
>> it is intentional by the software
> I'm not going to comment what is good, what is intentional and etc.
> All I'm asking for is for precise wording aka when something is done by ZendStudion or any other Eclipse plugin is to name it unless it's something that Eclipse Platform/RCP does.
the point is not Eclipse
it was just an example of "netstat -l" as user and that the purpose of
an OS is *not* to have defaults only sane in a default install
any application running as user can open a high port
that's the purpose of non-privileged ports
that means finally *any* bad piece of code with the current settings can
open a listening port and contacted from a botnet *directly* instead
open a active connection to the outside (which is bad enough)
spammer will love that opportunity because they need no longer to rely
on single points easy taken offline where the bot-nodes connect to, no
they just need to send their commands directly to the machines
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: OpenPGP digital signature
More information about the devel